Received: by 2002:a05:6a10:6744:0:0:0:0 with SMTP id w4csp646802pxu; Wed, 14 Oct 2020 10:03:49 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyZ3mHLMIV7Ar27n8WGkwtcq4or7zR6qVcEhJBIl/LEwx74+f9MCQ1dWgdF3UUGeyYEnLiA X-Received: by 2002:aa7:cf93:: with SMTP id z19mr6418618edx.26.1602695029434; Wed, 14 Oct 2020 10:03:49 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1602695029; cv=none; d=google.com; s=arc-20160816; b=QabcNj4I4XNv3lKbpXVLJ906KtDC1caAbDMfgK6oiC1/zpzwKfGSn/man3pNWyu7GH ufS1abKLktZ8jeI+3e1M2u0+BhqNwvdy+Vij2gwnwosoUIOSaxCJV6yQxDc/m8agN9Nv tfeS6Zwb7/wgz7U+Zul8zSPwa4AuYI1WFGCOeXTrlg8/U/Mkxot7GSH4UvyWulGKn57o Gl9FlCQlx3juYTVLtVfC8pE9HHylb4VjtsklsnrXKD36GWaGzp4aNoTI8DW/pAIL8/5H wWD8iur35GaBZoeTBUbT6U2+n2PGgpkh5tJsr9uFUVKYpSA4mpsA9X2sl+GcyBR7J1NM lcBg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:user-agent:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date; bh=o/z8nqpd0L7AVc5NBDK4ld1TmYhgdwnIPg0jmqXa6dw=; b=hfXDVjrQ0H06QVlbrkcj6O6yqf/1R7UP8f6ysYnoe8R5xqyR8CzEIdOGqgwrINPw8d An3lOSpWV6mTtNmFTsOBmmGct7riRSPSisVF6lZuSE3OEpOSxY/Qaqndh60S9oDFKW/q Y4hhFw1p706JYyds59jLa8GOQ62n77wv1q8kO9oQSCLguK9+WrELqC1CILQoqN34jZ8D 0NAESzBxXjfRAztRywVmyGiSMT3FiQ417UZFfK/0SeJ7hStrftSEZl08G2u+Vy0oGj74 wlAEiPX1ErToA86zNv1KsTfHvg7lQh6rFxi3TF0fNM2emq0m8z2MMUwS4X3kq9WWJ/TH Wc5g== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id p16si146084ejb.522.2020.10.14.10.03.20; Wed, 14 Oct 2020 10:03:49 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729171AbgJNOJR (ORCPT + 99 others); Wed, 14 Oct 2020 10:09:17 -0400 Received: from bmailout2.hostsharing.net ([83.223.78.240]:59027 "EHLO bmailout2.hostsharing.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727684AbgJNOJQ (ORCPT ); Wed, 14 Oct 2020 10:09:16 -0400 Received: from h08.hostsharing.net (h08.hostsharing.net [83.223.95.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "*.hostsharing.net", Issuer "COMODO RSA Domain Validation Secure Server CA" (not verified)) by bmailout2.hostsharing.net (Postfix) with ESMTPS id BD1232800B483; Wed, 14 Oct 2020 16:09:12 +0200 (CEST) Received: by h08.hostsharing.net (Postfix, from userid 100393) id A41F418764F; Wed, 14 Oct 2020 16:09:12 +0200 (CEST) Date: Wed, 14 Oct 2020 16:09:12 +0200 From: Lukas Wunner To: Florian Fainelli Cc: "linux-kernel@vger.kernel.org" , linux-spi , Mark Brown Subject: Re: Use after free in bcm2835_spi_remove() Message-ID: <20201014140912.GB24850@wunner.de> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.10.1 (2018-07-13) Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Oct 13, 2020 at 04:48:42PM -0700, Florian Fainelli wrote: > With KASAN now working on ARM 32-bit, I was able to get the following > trace upon reboot which invokes bcm2835_spi_shutdown() calling > bcm2835_spi_remove(), the same can be triggered by doing a driver unbind: Thank you for the report. Apparently the problem is that spi_unregister_controller() drops the last ref on the controller, causing it to be freed, and afterwards we access the controller's private data, which is part of the same allocation as struct spi_controller: bcm2835_spi_remove() spi_unregister_controller() device_unregister() put_device() spi_controller_release() # spi_master_class.dev_release() kfree(ctlr) bcm2835_dma_release(ctlr, bs) ... However, when I submitted commit 9dd277ff92d0, I double-checked that the kfree() happens after bcm2835_spi_remove() has finished and I even wrote in the commit message: "Note that the struct spi_controller as well as the driver-private data are not freed until after bcm2835_spi_remove() has finished, so accessing them is safe." I'm puzzled now that it doesn't work as intended. I do not see any recent commits which changed the behavior, so I must have made a mistake and missed something. The below patch should fix the issue. Could you verify that? Unfortunately I do not have access to a RasPi currently. An alternative to this patch would be a devm function which acquires a ref on the spi controller on ->probe() and automatically releases it after ->remove() has finished. This could be used by other SPI drivers as well. Thanks, Lukas -- >8 -- diff --git a/drivers/spi/spi-bcm2835.c b/drivers/spi/spi-bcm2835.c index 41986ac..5254fda 100644 --- a/drivers/spi/spi-bcm2835.c +++ b/drivers/spi/spi-bcm2835.c @@ -1377,6 +1377,7 @@ static int bcm2835_spi_remove(struct platform_device *pdev) bcm2835_debugfs_remove(bs); + spi_controller_get(ctlr); spi_unregister_controller(ctlr); bcm2835_dma_release(ctlr, bs); @@ -1386,6 +1387,7 @@ static int bcm2835_spi_remove(struct platform_device *pdev) BCM2835_SPI_CS_CLEAR_RX | BCM2835_SPI_CS_CLEAR_TX); clk_disable_unprepare(bs->clk); + spi_controller_put(ctlr); return 0; }