| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 29 Oct 2017 12:56:25 +0100
From: Johan Hovold <johan@...nel.org>
To: Mark Brown <broonie@...nel.org>
Cc: linux-spi@...r.kernel.org, linux-kernel@...r.kernel.org,
Johan Hovold <johan@...nel.org>,
Lars-Peter Clausen <lars@...afoo.de>
Subject: [PATCH 3/3] spi: spi-axi: take extra controller reference before deregistration
Take an extra reference to the controller to avoid use-after-free in
free_irq() which is called only after the controller has been
deregistered and freed.
Note that this is not an issue for this particular driver which does not
use shared interrupts, but free_irq() could otherwise end up accessing
the freed controller when CONFIG_DEBUG_SHIRQ is set.
Defer controller release until free_irq() returns to prevent this
from ever becoming an issue should this code be replicated in other
drivers.
Cc: Lars-Peter Clausen <lars@...afoo.de>
Signed-off-by: Johan Hovold <johan@...nel.org>
---
drivers/spi/spi-axi-spi-engine.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/spi/spi-axi-spi-engine.c b/drivers/spi/spi-axi-spi-engine.c
index 6ab4c7700228..68cfc351b47f 100644
--- a/drivers/spi/spi-axi-spi-engine.c
+++ b/drivers/spi/spi-axi-spi-engine.c
@@ -553,7 +553,7 @@ static int spi_engine_probe(struct platform_device *pdev)
static int spi_engine_remove(struct platform_device *pdev)
{
- struct spi_master *master = platform_get_drvdata(pdev);
+ struct spi_master *master = spi_master_get(platform_get_drvdata(pdev));
struct spi_engine *spi_engine = spi_master_get_devdata(master);
int irq = platform_get_irq(pdev, 0);
@@ -561,6 +561,8 @@ static int spi_engine_remove(struct platform_device *pdev)
free_irq(irq, master);
+ spi_master_put(master);
+
writel_relaxed(0xff, spi_engine->base + SPI_ENGINE_REG_INT_PENDING);
writel_relaxed(0x00, spi_engine->base + SPI_ENGINE_REG_INT_ENABLE);
writel_relaxed(0x01, spi_engine->base + SPI_ENGINE_REG_RESET);
--
2.14.3
Powered by blists - more mailing lists