Remove erroneous spi_master_put() after controller deregistration which would access the already freed spi controller.
Note that spi_unregister_master() drops our only controller reference.
Fixes: ba3e67001b42 ("greybus: SPI: convert to a gpbridge driver") Cc: stable stable@vger.kernel.org # 4.9 Cc: Greg Kroah-Hartman gregkh@linuxfoundation.org Signed-off-by: Johan Hovold johan@kernel.org --- drivers/staging/greybus/spilib.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/drivers/staging/greybus/spilib.c b/drivers/staging/greybus/spilib.c index e97b19148497..1e7321a1404c 100644 --- a/drivers/staging/greybus/spilib.c +++ b/drivers/staging/greybus/spilib.c @@ -544,11 +544,14 @@ int gb_spilib_master_init(struct gb_connection *connection, struct device *dev,
return 0;
-exit_spi_unregister: - spi_unregister_master(master); exit_spi_put: spi_master_put(master);
+ return ret; + +exit_spi_unregister: + spi_unregister_master(master); + return ret; } EXPORT_SYMBOL_GPL(gb_spilib_master_init); @@ -558,7 +561,6 @@ void gb_spilib_master_exit(struct gb_connection *connection) struct spi_master *master = gb_connection_get_data(connection);
spi_unregister_master(master); - spi_master_put(master); } EXPORT_SYMBOL_GPL(gb_spilib_master_exit);
On 29-10-17, 13:01, Johan Hovold wrote:
Remove erroneous spi_master_put() after controller deregistration which would access the already freed spi controller.
Note that spi_unregister_master() drops our only controller reference.
Fixes: ba3e67001b42 ("greybus: SPI: convert to a gpbridge driver") Cc: stable stable@vger.kernel.org # 4.9 Cc: Greg Kroah-Hartman gregkh@linuxfoundation.org Signed-off-by: Johan Hovold johan@kernel.org
drivers/staging/greybus/spilib.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/drivers/staging/greybus/spilib.c b/drivers/staging/greybus/spilib.c index e97b19148497..1e7321a1404c 100644 --- a/drivers/staging/greybus/spilib.c +++ b/drivers/staging/greybus/spilib.c @@ -544,11 +544,14 @@ int gb_spilib_master_init(struct gb_connection *connection, struct device *dev, return 0; -exit_spi_unregister:
- spi_unregister_master(master);
exit_spi_put: spi_master_put(master);
- return ret;
+exit_spi_unregister:
- spi_unregister_master(master);
- return ret;
} EXPORT_SYMBOL_GPL(gb_spilib_master_init); @@ -558,7 +561,6 @@ void gb_spilib_master_exit(struct gb_connection *connection) struct spi_master *master = gb_connection_get_data(connection); spi_unregister_master(master);
- spi_master_put(master);
} EXPORT_SYMBOL_GPL(gb_spilib_master_exit);
Acked-by: Viresh Kumar viresh.kumar@linaro.org
While looking at this I think I found another problem (I will send it as a separate patch later on) and this fixes it:
diff --git a/drivers/spi/spi.c b/drivers/spi/spi.c index 6e65524cbfd9..af7ca751b4f7 100644 --- a/drivers/spi/spi.c +++ b/drivers/spi/spi.c @@ -2261,11 +2261,11 @@ void spi_unregister_controller(struct spi_controller *ctlr) mutex_unlock(&board_lock);
dummy = device_for_each_child(&ctlr->dev, NULL, __unregister); - device_unregister(&ctlr->dev); /* free bus id */ mutex_lock(&board_lock); idr_remove(&spi_master_idr, ctlr->bus_num); mutex_unlock(&board_lock); + device_unregister(&ctlr->dev); } EXPORT_SYMBOL_GPL(spi_unregister_controller);
On Sun, Oct 29, 2017 at 06:13:28PM +0530, Viresh Kumar wrote:
On 29-10-17, 13:01, Johan Hovold wrote:
Remove erroneous spi_master_put() after controller deregistration which would access the already freed spi controller.
Note that spi_unregister_master() drops our only controller reference.
Fixes: ba3e67001b42 ("greybus: SPI: convert to a gpbridge driver") Cc: stable stable@vger.kernel.org # 4.9 Cc: Greg Kroah-Hartman gregkh@linuxfoundation.org Signed-off-by: Johan Hovold johan@kernel.org
Acked-by: Viresh Kumar viresh.kumar@linaro.org
While looking at this I think I found another problem (I will send it as a separate patch later on) and this fixes it:
That's right, and I already posted a fix for that use-after-free:
https://lkml.kernel.org/r/20171029115625.32385-1-johan@kernel.org
Thanks, Johan
On 29-10-17, 13:51, Johan Hovold wrote:
That's right, and I already posted a fix for that use-after-free:
https://lkml.kernel.org/r/20171029115625.32385-1-johan@kernel.org
Great :)
Hi Johan, Thanks for the patch.
On Sun 29 Oct 2017 at 12:01, Johan Hovold johan@kernel.org wrote:
Remove erroneous spi_master_put() after controller deregistration which would access the already freed spi controller.
Note that spi_unregister_master() drops our only controller reference.
Fixes: ba3e67001b42 ("greybus: SPI: convert to a gpbridge driver") Cc: stable stable@vger.kernel.org # 4.9 Cc: Greg Kroah-Hartman gregkh@linuxfoundation.org Signed-off-by: Johan Hovold johan@kernel.org
Reviewed-by: Rui Miguel Silva rmfrfs@gmail.com
--- Cheers, Rui
drivers/staging/greybus/spilib.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/drivers/staging/greybus/spilib.c b/drivers/staging/greybus/spilib.c index e97b19148497..1e7321a1404c 100644 --- a/drivers/staging/greybus/spilib.c +++ b/drivers/staging/greybus/spilib.c @@ -544,11 +544,14 @@ int gb_spilib_master_init(struct gb_connection *connection, struct device *dev, return 0; -exit_spi_unregister:
- spi_unregister_master(master);
exit_spi_put: spi_master_put(master);
- return ret;
+exit_spi_unregister:
- spi_unregister_master(master);
- return ret;
} EXPORT_SYMBOL_GPL(gb_spilib_master_init); @@ -558,7 +561,6 @@ void gb_spilib_master_exit(struct gb_connection *connection) struct spi_master *master = gb_connection_get_data(connection); spi_unregister_master(master);
- spi_master_put(master);
} EXPORT_SYMBOL_GPL(gb_spilib_master_exit);
-
Johan Hovold -
Rui Miguel Silva -
Viresh Kumar