Received: by 2002:a05:6a10:6744:0:0:0:0 with SMTP id w4csp159260pxu; Thu, 15 Oct 2020 00:00:19 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyIkZZVFx7PUoyjfaMLxw0YmD/THB+AfT9TkINQQcabR+Fr3wnIzsDKEwtsE7GBH3yiLuC/ X-Received: by 2002:a17:907:40bb:: with SMTP id nu19mr2820186ejb.246.1602745219475; Thu, 15 Oct 2020 00:00:19 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1602745219; cv=none; d=google.com; s=arc-20160816; b=Keyi3XF8/j9QU0HgqS99C2WgkBcyw1QLa+wQ+J3PzhCU/RNYOsbXuuFD+cGjZO2oUG h39Jb82egs/Ibrz4UA1w3Eu2fdY/a/g7jyHlB6zg+Jq6j+Ch71R16uTgPcHev8Fj+kpU b0rj2+zGzH3iUEGSCAq8TWFVljbjxUXQ+NHvf8xeHsegOmQgEmu720B8jcabxXCtJAux JP7zLtqxsvqVPFkEYDzUt5PkX3u6yJ84/R5Uac9eHMdBVaKgeU36kJHInQbAV0S6xqpl olyXRh4IPKTW+4YnK5F6BfpP/qMgGYaU/BMWhV1nqpCT9uwYwurQQVzg8pnkgPWv6uYm wAxg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:user-agent:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :dkim-signature; bh=H8u+hXauPH3q01N4uzu1qndsq+HvCozH4FKKveWDeDI=; b=dUWn3aj2HICFIwEM5H0mddP/JhK30FSVPg4mC6hT+ZEvfvRb6GCI2F3HFYDNYxcJU5 Sd6lwB9QIKZa5YOtZKHhID5FBiUYZsG6sLFT2res5UZ0KZxcJS+2+pZl2vfIpfP2HT1z YEBLAIp9Ne8RiPtXxLxEN/iFmqIPKPUGqfZbLaNAY9j/m/SE46reRbz9SLFrcCe85+BD 5o6p0F5wvMZ6vx4zmf2zPKX+dtM6CzJ+NVL94jNxrroHePbLP7VKG55v6167YrUtuuz0 lTnpoHJku0jkEhrgwOclQBV7euKc8ur/RK1yFmwAjfPDpqIsgQtgaJBKwPud8NFIWxZY dK4w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=1b3XRaOp; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id t27si1478086eji.224.2020.10.14.23.59.57; Thu, 15 Oct 2020 00:00:19 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=1b3XRaOp; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730151AbgJNUZM (ORCPT + 99 others); Wed, 14 Oct 2020 16:25:12 -0400 Received: from mail.kernel.org ([198.145.29.99]:38582 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729022AbgJNUZM (ORCPT ); Wed, 14 Oct 2020 16:25:12 -0400 Received: from localhost (fw-tnat.cambridge.arm.com [217.140.96.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 64CC32222C; Wed, 14 Oct 2020 20:25:11 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1602707112; bh=y60T8MfAN6VUb/ve7bAl/0bz6h3acfP3VAK+B6ENBgM=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=1b3XRaOpODmwcqPvQPtoc1WOTMFE6JFgWfR3qphGMun7Y89YqRvEvNfwCTTj/8TTl Wsy0nwDtC06JPuZOcIYNFrR3Sqv9LKuz5eD0HAJDJ4KsbHLT6Zypjs9rGCEE3NzJPV sgTDgv9vKGECjKnNhNnwhmjhGKL9zxs9Qp840EwM= Date: Wed, 14 Oct 2020 21:25:05 +0100 From: Mark Brown To: Vladimir Oltean Cc: Lukas Wunner , Florian Fainelli , "linux-kernel@vger.kernel.org" , linux-spi Subject: Re: Use after free in bcm2835_spi_remove() Message-ID: <20201014202505.GF4580@sirena.org.uk> References: <20201014140912.GB24850@wunner.de> <20201014194035.ukduovokggu37uba@skbuf> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="fwqqG+mf3f7vyBCB" Content-Disposition: inline In-Reply-To: <20201014194035.ukduovokggu37uba@skbuf> X-Cookie: Take an astronaut to launch. User-Agent: Mutt/1.10.1 (2018-07-13) Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org --fwqqG+mf3f7vyBCB Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Wed, Oct 14, 2020 at 10:40:35PM +0300, Vladimir Oltean wrote: > On Wed, Oct 14, 2020 at 04:09:12PM +0200, Lukas Wunner wrote: > > Apparently the problem is that spi_unregister_controller() drops the > > last ref on the controller, causing it to be freed, and afterwards we > > access the controller's private data, which is part of the same > > allocation as struct spi_controller: > > bcm2835_spi_remove() > > spi_unregister_controller() > > device_unregister() > > put_device() > > spi_controller_release() # spi_master_class.dev_release() > > kfree(ctlr) > > bcm2835_dma_release(ctlr, bs) > Also see these threads: > https://lore.kernel.org/linux-spi/20200922112241.GO4792@sirena.org.uk/T/#t > https://lore.kernel.org/linux-spi/270b94fd1e546d0c17a735c1f55500e58522da04.camel@suse.de/T/#u Right, the proposed patch is yet another way to fix the issue - it all comes back to the fact that you shouldn't be using the driver data after unregistering if it was allocated as part of allocating the controller. This framework feature is unfortunately quite error prone. --fwqqG+mf3f7vyBCB Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAABCgAdFiEEreZoqmdXGLWf4p/qJNaLcl1Uh9AFAl+HXqEACgkQJNaLcl1U h9Cemgf+N9ktvf3Pu2FKW2QsiXZWpEOe9n1qxhO3C3TsMVR7uUof7Il0d78U3gQW Qub+c1JdauKYEX1f8HsEYw46qw4mTEApvJftks7F6Eyk6VXgWTdOI8dL1D9Z9cK5 Q1iSG2S09kTtSJinL2XozoF/RtIqdQarNX72ZJxeHlXLnpyYOrjwAazgb+Wk6hLW TKugaZxbYoVczPvAuBIHWrNyngnYAWyNazrbBR/oUiSyXLGm/3PUNA6Ta0odClnW 4zHdD7wcj7eo6oorQC9MBRyvAb8Rak9qmBdKAujl6FWZnyXF2SYMoFhykCI0D3ec X4fJEnbKTejyLXbKGlL9Buge3X3kMg== =c+5j -----END PGP SIGNATURE----- --fwqqG+mf3f7vyBCB--