[PATCH] spi: bcm2835: Add spi_master_get() call to prevent use after free
Axel Lin
axel.lin at ingics.com
Thu Aug 22 08:48:36 EDT 2013
2013/8/22 Axel Lin <axel.lin at ingics.com>:
> 2013/8/22 Mark Brown <broonie at kernel.org>:
>> On Sat, Aug 17, 2013 at 10:18:01AM +0800, Axel Lin wrote:
>>> The call to spi_unregister_master results in device memory being freed, it must
>>> no longer be accessed afterwards. Thus call spi_master_get to get an extra
>>> reference to the device and call spi_master_put only after the last access to
>>> device data.
>>
>> This seems a bit odd because it adds a get but no matching put - surely
>> that means it's either adding a resource leak or there is a double free?
>>
>> It looks like the problem here is that we shouldn't be calling put() at
>> all since that work is done as part of unregistering the master.
> I think the reason is current code access bs->clk *after*
> spi_unregister_master().
> If spi_unregister_master() free the memory, we should not access the
> memory allocated
> by spi_alloc_master().
> Thus add spi_master_get() to prevent spi_unregister_master() free the memory.
> And then call spi_master_put only after the last access to device data.
BTW, In current code it looks like we have an extra spi_master_put() call.
I guess just nobody compile this driver as a module.
More information about the linux-rpi-kernel
mailing list