linux-kernel - Re: [PATCH] Revert "spi: simplify devm_spi_register

lists.openwall.net		lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC
Open Source and information security mailing list archives

Hash Suite: Windows password security audit tool. GUI, reports in PDF.

[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]

Message-ID: <bf2811e4-86f4-140e-2a3d-388d265557c7@microchip.com>
Date:   Wed, 13 Jul 2022 06:37:08 +0000
From:   <Conor.Dooley@...rochip.com>
To:     <yangyingliang@...wei.com>, <broonie@...nel.org>
CC:     <linux-kernel@...r.kernel.org>, <linux-spi@...r.kernel.org>
Subject: Re: [PATCH] Revert "spi: simplify devm_spi_register_controller"

On 12/07/2022 14:55, Yang Yingliang wrote:
> This reverts commit 59ebbe40fb51e307032ae7f63b2749fad2d4635a.
> 
> If devm_add_action() fails in devm_add_action_or_reset(),
> devm_spi_unregister() will be called, it decreases the
> refcount of 'ctlr->dev' to 0, then it will cause uaf in
> the drivers that calling spi_put_controller() in error path.

Whether a revert is the right fix or not, this is the same
conclusion I came to reading your patch for my driver & on
that basis:

Reviewed-by: Conor Dooley <conor.dooley@...rochip.com>

Seems like the master variant of this is used over 40 times:
rg "(?s)devm_spi_register_master.*master_put" drivers/spi --multiline -l

> 
> Fixes: 59ebbe40fb51 ("spi: simplify devm_spi_register_controller")
> Signed-off-by: Yang Yingliang <yangyingliang@...wei.com>
> ---
>   drivers/spi/spi.c | 19 ++++++++++++++-----
>   1 file changed, 14 insertions(+), 5 deletions(-)
> 
> diff --git a/drivers/spi/spi.c b/drivers/spi/spi.c
> index dc1a324e3271..ef751ccd65be 100644
> --- a/drivers/spi/spi.c
> +++ b/drivers/spi/spi.c
> @@ -3130,9 +3130,9 @@ int spi_register_controller(struct spi_controller *ctlr)
>   }
>   EXPORT_SYMBOL_GPL(spi_register_controller);
>   
> -static void devm_spi_unregister(void *ctlr)
> +static void devm_spi_unregister(struct device *dev, void *res)
>   {
> -	spi_unregister_controller(ctlr);
> +	spi_unregister_controller(*(struct spi_controller **)res);
>   }
>   
>   /**
> @@ -3151,13 +3151,22 @@ static void devm_spi_unregister(void *ctlr)
>   int devm_spi_register_controller(struct device *dev,
>   				 struct spi_controller *ctlr)
>   {
> +	struct spi_controller **ptr;
>   	int ret;
>   
> +	ptr = devres_alloc(devm_spi_unregister, sizeof(*ptr), GFP_KERNEL);
> +	if (!ptr)
> +		return -ENOMEM;
> +
>   	ret = spi_register_controller(ctlr);
> -	if (ret)
> -		return ret;
> +	if (!ret) {
> +		*ptr = ctlr;
> +		devres_add(dev, ptr);
> +	} else {
> +		devres_free(ptr);
> +	}
>   
> -	return devm_add_action_or_reset(dev, devm_spi_unregister, ctlr);
> +	return ret;
>   }
>   EXPORT_SYMBOL_GPL(devm_spi_register_controller);
>