| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 10 Nov 2021 16:27:27 +0000
From: Mark Brown <broonie@...nel.org>
To: Michael Walle <michael@...le.cc>
Cc: linux-spi@...r.kernel.org, linux-kernel@...r.kernel.org,
Uwe Kleine-König
<u.kleine-koenig@...gutronix.de>,
Vladimir Oltean <olteanv@...il.com>
Subject: Re: [RFC PATCH] spi: fix use-after-free of the add_lock mutex
On Wed, Nov 10, 2021 at 05:08:36PM +0100, Michael Walle wrote:
> Commit 6098475d4cb4 ("spi: Fix deadlock when adding SPI controllers on
> SPI buses") introduced a per-controller mutex. But mutex_unlock() of
> said lock is called after the controller is already freed:
>
> spi_unregister_controller(ctlr)
> -> put_device(&ctlr->dev)
> -> spi_controller_release(dev)
> mutex_unlock(&ctrl->add_lock)
>
> Move the put_device() after the mutex_unlock().
Do we even need to unlock the mutex here?
>
> For reference, the kernel oops is:
> [ 20.242505] Unable to handle kernel paging request at virtual address 0042a2203dc65260
> [ 20.250468] Mem abort info:
> [ 20.253270] ESR = 0x96000044
Please think hard before including complete backtraces in upstream
reports, they are very large and contain almost no useful information
relative to their size so often obscure the relevant content in your
message. If part of the backtrace is usefully illustrative (it often is
for search engines if nothing else) then it's usually better to pull out
the relevant sections.
Download attachment "signature.asc" of type "application/pgp-signature" (489 bytes)
Powered by blists - more mailing lists