[PATCH v2] spi: imx: fix use-after-free during driver removal
Frank Li
Frank.li at nxp.com
Thu Aug 8 08:58:27 PDT 2024
On Thu, Aug 08, 2024 at 05:52:23PM +0200, Kirill Yatsenko wrote:
> With the CONFIG_SLUB_DEBUG_ON enabled the unhandled fault error appears
> when unbinding the driver.
>
> The spi controller driver memory is freed inside the spi_imx_remove prior
> to executing PM callbacks thus leading to use-after-free.
>
> Fix it by switching to the devm version of spi_register_controller.
>
> Unhandled fault: alignment exception (0x001) at 0x6b6b6c53
> [6b6b6c53] *pgd=00000000
> Internal error: : 1 [#1] PREEMPT SMP ARM
> Modules linked in:
> CPU: 2 PID: 1241 Comm: rebind.sh Not tainted 6.10.0-dnm3pv2-dnm3pv2-ga03695deba11 #1
> Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree)
> PC is at __pm_runtime_resume+0x58/0x6c
> LR is at spi_imx_remove+0x1c/0xa8
> pc : [<80632438>] lr : [<806ebefc>] psr: 20010013
> sp : f1d81e88 ip : 83c0e204 fp : 00000000
> r10: 00000000 r9 : 00000000 r8 : 82dd9454
> r7 : 82dda054 r6 : 810f82f0 r5 : 00000004 r4 : 6b6b6b6b
> r3 : 6b6b6c53 r2 : 85321240 r1 : 00000004 r0 : 6b6b6b6b
> Flags: nzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none
> Control: 10c5387d Table: 1687c04a DAC: 00000051
>
> Register r12 information: slab kmalloc-64 start 83c0e180 data offset 64 pointer offset 68 size 64 allocated at kobject_set_name_vargs+0x2c/0xa0
> kmalloc_node_track_caller_noprof+0x14c/0x37c
> kvasprintf+0x5c/0xcc
> kobject_set_name_vargs+0x2c/0xa0
> dev_set_name+0x2c/0x58
> spi_register_controller+0xcc/0xc48
> spi_imx_probe+0x41c/0x694
> platform_probe+0x5c/0xb0
> really_probe+0xe0/0x3cc
> __driver_probe_device+0x9c/0x1e0
> driver_probe_device+0x30/0xc0
> __driver_attach+0x11c/0x1cc
> bus_for_each_dev+0x7c/0xcc
> bus_add_driver+0xe0/0x220
> driver_register+0x7c/0x114
> do_one_initcall+0x58/0x240
> kernel_init_freeable+0x198/0x1f4
> Free path:
> kobject_put+0xd0/0x29c
> spi_imx_remove+0x10/0xa8
> platform_remove+0x20/0x5c
> device_release_driver_internal+0x184/0x1f0
> unbind_store+0x54/0x90
> kernfs_fop_write_iter+0xfc/0x1e8
> vfs_write+0x25c/0x450
> ksys_write+0x70/0xf0
> ret_fast_syscall+0x0/0x54
>
> Call trace:
> __pm_runtime_resume from spi_imx_remove+0x1c/0xa8
> spi_imx_remove from platform_remove+0x20/0x5c
> platform_remove from device_release_driver_internal+0x184/0x1f0
> device_release_driver_internal from unbind_store+0x54/0x90
> unbind_store from kernfs_fop_write_iter+0xfc/0x1e8
> kernfs_fop_write_iter from vfs_write+0x25c/0x450
> vfs_write from ksys_write+0x70/0xf0
> ksys_write from ret_fast_syscall+0x0/0x54
>
> Fixes: 307c897db762 ("spi: spi-imx: replace struct spi_imx_data::bitbang by pointer to struct spi_controller")
> Signed-off-by: Kirill Yatsenko <kirill.yatsenko at camlingroup.com>
Avoid send v2 with v1 message id in future, it should be new email thread.
Reviewed-by: Frank Li <Frank.Li at nxp.com>
> ---
> Changes in v2:
> Shorter Kernel oops message
> ---
> drivers/spi/spi-imx.c | 4 +---
> 1 file changed, 1 insertion(+), 3 deletions(-)
>
> diff --git a/drivers/spi/spi-imx.c b/drivers/spi/spi-imx.c
> index 4a56a5b16e12..14834c4e839a 100644
> --- a/drivers/spi/spi-imx.c
> +++ b/drivers/spi/spi-imx.c
> @@ -1854,7 +1854,7 @@ static int spi_imx_probe(struct platform_device *pdev)
> spi_imx->devtype_data->intctrl(spi_imx, 0);
>
> controller->dev.of_node = pdev->dev.of_node;
> - ret = spi_register_controller(controller);
> + ret = devm_spi_register_controller(&pdev->dev, controller);
> if (ret) {
> dev_err_probe(&pdev->dev, ret, "register controller failed\n");
> goto out_register_controller;
> @@ -1900,8 +1900,6 @@ static void spi_imx_remove(struct platform_device *pdev)
> struct spi_imx_data *spi_imx = spi_controller_get_devdata(controller);
> int ret;
>
> - spi_unregister_controller(controller);
> -
> ret = pm_runtime_get_sync(spi_imx->dev);
> if (ret >= 0)
> writel(0, spi_imx->base + MXC_CSPICTRL);
> --
> 2.34.1
>
More information about the linux-arm-kernel
mailing list