Message ID | dd060534490eca5e946eb9165916542b01a9358d.1604874488.git.lukas@wunner.de |
---|---|
State | Accepted |
Commit | 373afef350a93519b4b8d636b0895da8650b714b |
Headers | show |
Series | spi: davinci: Fix use-after-free on unbind | expand |
On Mon, Nov 9, 2020 at 12:52 AM Lukas Wunner <lukas@wunner.de> wrote: > > If the calls to platform_get_irq() or devm_request_irq() fail on probe > of the SynQuacer SPI driver, the clock "sspi->clk" is erroneously not > unprepared and disabled. > > If the clock rate "master->max_speed_hz" cannot be determined, the same > happens and in addition the spi_master struct is not freed. Wouldn't be better to switch over devm_add_action_or_reset() in such cases?
On Sun, 8 Nov 2020 23:41:00 +0100, Lukas Wunner wrote: > If the call to of_device_get_match_data() fails on probe of the Atmel > QuadSPI driver, the clock "aq->pclk" is erroneously not unprepared and > disabled. Fix it. Applied to https://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi.git for-next Thanks! [1/1] spi: atmel-quadspi: Disable clock in probe error path commit: 0e685017c7ba1a2fe9f6f1e7a9302890747d934c All being well this means that it will be integrated into the linux-next tree (usually sometime in the next 24 hours) and sent to Linus during the next merge window (or sooner if it is a bug fix), however if problems are discovered then the patch may be dropped or reverted. You may get further e-mails resulting from automated or manual testing and review of the tree, please engage with people reporting problems and send followup patches addressing any issues that are reported if needed. If any updates are required or you are submitting further changes they should be sent as incremental updates against current git, existing patches will not be replaced. Please add any relevant lists and maintainers to the CCs when replying to this mail. Thanks, Mark
On Sun, 8 Nov 2020 23:41:00 +0100, Lukas Wunner wrote: > If the calls to devm_request_irq() or devm_spi_register_master() fail > on probe of the PIC32 SPI driver, the DMA channels requested by > pic32_spi_dma_prep() are erroneously not released. Plug the leak. Applied to https://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi.git for-next Thanks! [1/1] spi: pic32: Don't leak DMA channels in probe error path commit: c575e9113bff5e024d75481613faed5ef9d465b2 All being well this means that it will be integrated into the linux-next tree (usually sometime in the next 24 hours) and sent to Linus during the next merge window (or sooner if it is a bug fix), however if problems are discovered then the patch may be dropped or reverted. You may get further e-mails resulting from automated or manual testing and review of the tree, please engage with people reporting problems and send followup patches addressing any issues that are reported if needed. If any updates are required or you are submitting further changes they should be sent as incremental updates against current git, existing patches will not be replaced. Please add any relevant lists and maintainers to the CCs when replying to this mail. Thanks, Mark
On Sun, 8 Nov 2020 23:41:00 +0100, Lukas Wunner wrote: > If the calls to platform_get_irq() or devm_request_irq() fail on probe > of the SynQuacer SPI driver, the clock "sspi->clk" is erroneously not > unprepared and disabled. > > If the clock rate "master->max_speed_hz" cannot be determined, the same > happens and in addition the spi_master struct is not freed. > > [...] Applied to https://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi.git for-next Thanks! [1/1] spi: synquacer: Disable clock in probe error path commit: 8853b2503014aca5c793d2c7f0aabc990b32bdad All being well this means that it will be integrated into the linux-next tree (usually sometime in the next 24 hours) and sent to Linus during the next merge window (or sooner if it is a bug fix), however if problems are discovered then the patch may be dropped or reverted. You may get further e-mails resulting from automated or manual testing and review of the tree, please engage with people reporting problems and send followup patches addressing any issues that are reported if needed. If any updates are required or you are submitting further changes they should be sent as incremental updates against current git, existing patches will not be replaced. Please add any relevant lists and maintainers to the CCs when replying to this mail. Thanks, Mark
diff --git a/drivers/spi/spi-davinci.c b/drivers/spi/spi-davinci.c index 818f2b22875d..7453a1dbbc06 100644 --- a/drivers/spi/spi-davinci.c +++ b/drivers/spi/spi-davinci.c @@ -1040,13 +1040,13 @@ static int davinci_spi_remove(struct platform_device *pdev) spi_bitbang_stop(&dspi->bitbang); clk_disable_unprepare(dspi->clk); - spi_master_put(master); if (dspi->dma_rx) { dma_release_channel(dspi->dma_rx); dma_release_channel(dspi->dma_tx); } + spi_master_put(master); return 0; }
davinci_spi_remove() accesses the driver's private data after it's been freed with spi_master_put(). Fix by moving the spi_master_put() to the end of the function. Fixes: fe5fd2540947 ("spi: davinci: Use dma_request_chan() for requesting DMA channel") Signed-off-by: Lukas Wunner <lukas@wunner.de> Cc: <stable@vger.kernel.org> # v4.7+ Cc: Peter Ujfalusi <peter.ujfalusi@ti.com> --- drivers/spi/spi-davinci.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)