From patchwork Mon Oct 30 10:35:25 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Johan Hovold X-Patchwork-Id: 10032311 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id F07B66039A for ; Mon, 30 Oct 2017 10:36:12 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 0046820174 for ; Mon, 30 Oct 2017 10:36:13 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id E99A52881C; Mon, 30 Oct 2017 10:36:12 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.3 required=2.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_HI, RCVD_IN_SORBS_SPAM, T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 6873620174 for ; Mon, 30 Oct 2017 10:36:12 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752458AbdJ3KgL (ORCPT ); Mon, 30 Oct 2017 06:36:11 -0400 Received: from mail-lf0-f67.google.com ([209.85.215.67]:45033 "EHLO mail-lf0-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752107AbdJ3Kfp (ORCPT ); Mon, 30 Oct 2017 06:35:45 -0400 Received: by mail-lf0-f67.google.com with SMTP id 75so14359335lfx.1; Mon, 30 Oct 2017 03:35:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:from:to:cc:subject:date:message-id; bh=bt0a7Fk53NOte18MjfjRVeQ2ZE79DZ1q4KByg3ekjdw=; b=QLc16rXvW61F6z49ZlveC652NqefAWsglDa8C2+cwCNIf2sa4uqHNbH5wXo4OJFdYk V6F611p1BNjdpMfsjv+P4AN2AsUyvvPOdqRzy4V9JDNQvLvZ7tAdHb+tHQXSSGShgaqL mt+sx1ku6i++urCdMGvDiylkGr6/wAGFcSBZ0cxTX56Mkmx4U9EPLyc2LLAZAj5e5eWP YmcYVYLAQAuhIHGIZYZ8t3U+NP9ui3Y1VM6xAlrv7vuxVL+VjreHJvYpPotuMzoC44hN OJ9HVe9jVLd4M0gw/gcYPrMNJE6ysKEsQ8gnKTBr1Eff7b6SmvFQ5f36T2VFzNfa0KkV oI8A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:from:to:cc:subject:date:message-id; bh=bt0a7Fk53NOte18MjfjRVeQ2ZE79DZ1q4KByg3ekjdw=; b=SUTkSrUq5XcovGTHG7R82/52cLmhlJP50PNO4m6QfDzgIKzZ4TnsqSRTWIXRb2zf3N o1Rtc7MtCoZR7mOZtHFemZETlUHVDyok6s9RGjWfHaRbyYaY8LJqBOBSQpA5NbljkfUF 3kOv2gpAz13Q/v6Gjx1RIvO+PCTCZfrjc6cjh4J96RKERu0YiqVVFpb0goK60LKLoBny TY6EbZQqa+HEa6AHjc0N+4PwlNI9hq2Qx0j4pyszhm78iQvIbXgP3cyIvjKbE0BjcVzu bbglmaL4cEfTC2o2ylBu/pGh+8JrHiJw+wNwEXaHVGo3M7FXRlWQvhCZm4/Ce3ODlX3R seIQ== X-Gm-Message-State: AMCzsaU0WQc/uaFtFq+RBoWeAz4lWl2X3HMOrtbAwgxw6k6k/RbwYfpw i0C8h3qKZSXnpAlB53HA8QRrvOOH X-Google-Smtp-Source: ABhQp+RnacDOoZj8njpE80Wlt/M3TGwLw14FTWUbYhOXKy3/imSe0B3ottL1SBsaRPTkfJUoFdQViA== X-Received: by 10.25.17.208 with SMTP id 77mr2705955lfr.184.1509359743507; Mon, 30 Oct 2017 03:35:43 -0700 (PDT) Received: from xi.terra (c-fab8e655.07-184-6d6c6d4.cust.bredbandsbolaget.se. [85.230.184.250]) by smtp.gmail.com with ESMTPSA id 85sm3360983ljq.76.2017.10.30.03.35.41 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 30 Oct 2017 03:35:41 -0700 (PDT) Received: from johan by xi.terra with local (Exim 4.89) (envelope-from ) id 1e97Px-0003bw-8r; Mon, 30 Oct 2017 11:35:41 +0100 From: Johan Hovold To: Mark Brown Cc: linux-spi@vger.kernel.org, linux-kernel@vger.kernel.org, Lars-Peter Clausen , Johan Hovold , stable , Suniel Mahesh , Karthik Tummala Subject: [PATCH v2 1/3] spi: fix use-after-free at controller deregistration Date: Mon, 30 Oct 2017 11:35:25 +0100 Message-Id: <20171030103527.13535-1-johan@kernel.org> X-Mailer: git-send-email 2.14.3 Sender: linux-spi-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-spi@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP The controller is typically freed as part of device_unregister() so store the bus id before deregistration to avoid use-after-free when the id is later released. Fixes: 9b61e302210e ("spi: Pick spi bus number from Linux idr or spi alias") Cc: stable # 4.13 Cc: Suniel Mahesh Cc: Karthik Tummala Signed-off-by: Johan Hovold --- drivers/spi/spi.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/drivers/spi/spi.c b/drivers/spi/spi.c index e8b5a5e21b2e..3ff0ee88c467 100644 --- a/drivers/spi/spi.c +++ b/drivers/spi/spi.c @@ -2245,11 +2245,12 @@ static int __unregister(struct device *dev, void *null) void spi_unregister_controller(struct spi_controller *ctlr) { struct spi_controller *found; + int id = ctlr->bus_num; int dummy; /* First make sure that this controller was ever added */ mutex_lock(&board_lock); - found = idr_find(&spi_master_idr, ctlr->bus_num); + found = idr_find(&spi_master_idr, id); mutex_unlock(&board_lock); if (found != ctlr) { dev_dbg(&ctlr->dev, @@ -2269,7 +2270,7 @@ void spi_unregister_controller(struct spi_controller *ctlr) device_unregister(&ctlr->dev); /* free bus id */ mutex_lock(&board_lock); - idr_remove(&spi_master_idr, ctlr->bus_num); + idr_remove(&spi_master_idr, id); mutex_unlock(&board_lock); } EXPORT_SYMBOL_GPL(spi_unregister_controller);