Received: by 2002:a05:6a10:6744:0:0:0:0 with SMTP id w4csp5737963pxu; Thu, 22 Oct 2020 09:47:36 -0700 (PDT) X-Google-Smtp-Source: ABdhPJywDwuVM6XHDGIsLcZOC8Rw4/ecWSJxuoYx4ZILRwNeuQHH1hzOLbruUn22CEtpq7meqLu9 X-Received: by 2002:aa7:c38b:: with SMTP id k11mr3085450edq.33.1603385255883; Thu, 22 Oct 2020 09:47:35 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1603385255; cv=none; d=google.com; s=arc-20160816; b=Vwjo3c/AXK9Qna63UQpc02hye4KsPcXuPEtu46wJE1FkrNF5TWqTV5w55ZAJRLfgdi nY7pAKY7/A3ux3Ibmtu+vgB0k5MqK3aP+psNyI93bHNQxnyEk3DX7jgBuTseRRRk/eSI KV57ssTGo4Z4IggVSsGiRjCXTrTqJF1bAaljVHrdCVuMDqKON2ryWU49ykKx3nphuZoZ uXs2yAWkb1RNFo3icVUM0/cBBBnrXzq4pwJkC2/NSCdXOTEM94cU0zcyggIFA55pNqZA iHLN4WHu/WO/LUyBzcRil39qFMws8iOGe3r7dQiFiUHsPkm1VrtkPSxfXs4IDMUad54H +SvA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:user-agent:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date; bh=oc6+QqwpJZ159JQ7/lHMbQ8lQB5B5OuBAbIzFF+4uoc=; b=FXZnMLkgdL/Eh1edtbELcqdnNqlDvTH/eFKq2He5zdDcBaQr0mpGLqvR+KCA2m7lPi esAKdwQJNdDQ+7qazJ6z1TlJdOy/yUvY/yea0YkWD3olQJSnPekFiq/sO2p1R3O6Z65h 8TaLtn+C+BwD7BMtiBIqGw33mI6G9QOXf65dgXS1jx/ccmF7dJ2q7pKc8Ax2uTfVwRI9 74SJE3/fbZJyGaC5nNwX9+lY0Ut1skeD0NSqHvuXQYYh5OtfyB5nVVywMO0A8XpIBW5v O8BkmH8kZdsC79eKY7F+24RDenk42VFNKqf4hR7NJpMpW7FHiCmijtwTHBlyVmHHrG5g gIjA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id u10si1192141edd.315.2020.10.22.09.47.13; Thu, 22 Oct 2020 09:47:35 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2897860AbgJVMM7 (ORCPT + 99 others); Thu, 22 Oct 2020 08:12:59 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40412 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2503681AbgJVMM7 (ORCPT ); Thu, 22 Oct 2020 08:12:59 -0400 Received: from bmailout1.hostsharing.net (bmailout1.hostsharing.net [IPv6:2a01:37:1000::53df:5f64:0]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id F10FEC0613CE; Thu, 22 Oct 2020 05:12:58 -0700 (PDT) Received: from h08.hostsharing.net (h08.hostsharing.net [IPv6:2a01:37:1000::53df:5f1c:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "*.hostsharing.net", Issuer "COMODO RSA Domain Validation Secure Server CA" (not verified)) by bmailout1.hostsharing.net (Postfix) with ESMTPS id 40AA030000E5D; Thu, 22 Oct 2020 14:12:55 +0200 (CEST) Received: by h08.hostsharing.net (Postfix, from userid 100393) id 2DCBEF5996; Thu, 22 Oct 2020 14:12:55 +0200 (CEST) Date: Thu, 22 Oct 2020 14:12:54 +0200 From: Lukas Wunner To: Florian Fainelli Cc: Mark Brown , Vladimir Oltean , "linux-kernel@vger.kernel.org" , linux-spi Subject: Re: Use after free in bcm2835_spi_remove() Message-ID: <20201022121254.GA3847@wunner.de> References: <20201014140912.GB24850@wunner.de> <20201014194035.ukduovokggu37uba@skbuf> <20201014202505.GF4580@sirena.org.uk> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.10.1 (2018-07-13) Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Oct 14, 2020 at 02:20:16PM -0700, Florian Fainelli wrote: > In bcm2835_spi_remove(), spi_controller_unregister() will free the ctlr > reference which will lead to an use after free in bcm2835_release_dma(). > > To avoid this use after free, allocate the bcm2835_spi structure with a > different lifecycle than the spi_controller structure such that we > unregister the SPI controller, free up all the resources and finally let > device managed allocations free the bcm2835_spi structure. [...] > - if (ctlr->dma_tx) { > - dmaengine_terminate_sync(ctlr->dma_tx); > + if (dma_tx) { > + dmaengine_terminate_sync(dma_tx); > > if (bs->fill_tx_desc) > dmaengine_desc_free(bs->fill_tx_desc); > > if (bs->fill_tx_addr) > - dma_unmap_page_attrs(ctlr->dma_tx->device->dev, > + dma_unmap_page_attrs(dma_tx->device->dev, > bs->fill_tx_addr, sizeof(u32), > DMA_TO_DEVICE, > DMA_ATTR_SKIP_CPU_SYNC); > > - dma_release_channel(ctlr->dma_tx); > - ctlr->dma_tx = NULL; > + dma_release_channel(dma_tx); > } You must set ctlr->dma_tx and ctlr->dma_rx to NULL because the driver checks their value in a couple of places. E.g. bcm2835_spi_setup() checks ctlr->dma_rx. Likewise, the error paths of bcm2835_dma_init() and bcm2835_spi_probe() call bcm2835_dma_release() and the latter checks ctlr->dma_tx and ctlr->dma_rx to determine whether DMA was set up, hence needs to be torn down. > + bs = devm_kzalloc(&pdev->dev, sizeof(*bs), GFP_KERNEL); > + if (!bs) > + return -ENOMEM; > + > ctlr = spi_alloc_master(&pdev->dev, ALIGN(sizeof(*bs), > dma_get_cache_alignment())); You can set the second argument to spi_alloc_master() to 0 to conserve memory. Thanks, Lukas