Re: [PATCH 1/2] SPI: Add SPI driver for Sunplus SP7021

From: Lukas Wunner
Date: Sun Nov 14 2021 - 03:02:35 EST

Next message: kernel test robot: "[jolsa-perf:ftrace/direct 8/8] samples/ftrace/ftrace-direct-multi.c:8:6: error: no previous prototype for 'my_direct_func'"
Previous message: Marc Orr: "Re: [PATCH Part2 v5 00/45] Add AMD Secure Nested Paging (SEV-SNP) Hypervisor Support"
In reply to: Andy Shevchenko: "Re: [PATCH 1/2] SPI: Add SPI driver for Sunplus SP7021"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, Nov 01, 2021 at 02:18:44PM +0800, LH.Kuo wrote:
> + if (mode == SPI_SLAVE)
> + ctlr = spi_alloc_slave(&pdev->dev, sizeof(*pspim));
> + else
> + ctlr = spi_alloc_master(&pdev->dev, sizeof(*pspim));
> + if (!ctlr)
> + return -ENOMEM;

You need to use devm_spi_alloc_master() and devm_spi_alloc_slave() here
to avoid a use-after-free in pentagram_spi_controller_remove():

That's because spi_unregister_master() frees the spi_controller struct
and the adjacent pspim allocation and pentagram_spi_controller_remove()
accesses pspim afterwards.

The allocation is *not* freed by spi_unregister_master() if the devm_*
variants are used for allocation. Rather, the allocation is freed only
after pentagram_spi_controller_remove() has finished.

> +free_alloc:
> + spi_controller_put(ctlr);

This can be dropped if the devm_* variants are used for allocation.

> + spi_unregister_master(pspim->ctlr);

Please use spi_unregister_controller() here. (It could be a slave.)

Thanks,

Lukas

Next message: kernel test robot: "[jolsa-perf:ftrace/direct 8/8] samples/ftrace/ftrace-direct-multi.c:8:6: error: no previous prototype for 'my_direct_func'"
Previous message: Marc Orr: "Re: [PATCH Part2 v5 00/45] Add AMD Secure Nested Paging (SEV-SNP) Hypervisor Support"
In reply to: Andy Shevchenko: "Re: [PATCH 1/2] SPI: Add SPI driver for Sunplus SP7021"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]