From nobody Tue Jun 16 06:05:01 2026 Received: from mail-pg1-f173.google.com (mail-pg1-f173.google.com [209.85.215.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 996F739D6EA for ; Thu, 16 Apr 2026 16:28:02 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.215.173 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776356883; cv=none; b=E+KUjaiNYEb8/pHqOmaoC3KQAo1aJBNHBiEjq3e5AMbx029YF6d50RdxH/pJwjIMOwjnCyU6ZiS6TNcapKRw3IrGRWF7qgpHGdHy2O2L86ImJYdQmRbv2zN4ovulCGxDFfm37HM1CfaqwLFcrgHtr5Dn+06wojSeRh703ekYhHo= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776356883; c=relaxed/simple; bh=an05gz3snFqSWIlqPugud+8QDXGo85nlpAZJRtcNXQM=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=QK+UlXaYfNLJg7AJGjJDr82WRQWm3nAFAujPRrg5o1+DBWdquYEIvc9qxi4aVbUfBK+eNBaSTJ23/Vd7Qu3cogJ0eurnnXINlpDtr6YFbh7bhfTAxnjnTaYxf3P8tMnHElg1ZPSbC8a9j/6K+Ko9YhleWn9NqQkNXz3QGzY/E/c= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=UBmUitbY; arc=none smtp.client-ip=209.85.215.173 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="UBmUitbY" Received: by mail-pg1-f173.google.com with SMTP id 41be03b00d2f7-c79662bbd2eso770916a12.3 for ; Thu, 16 Apr 2026 09:28:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1776356882; x=1776961682; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=5saRJRACUrKVG09khw6yNyktdUzYLnpf0xS5TC2JSYI=; b=UBmUitbYRoY49LVN4gtXElvt9c74Wb1ChQuPaQ/4zbQuFHWsEc3kgiG7RjG1sMtCDc b6A88FauHJSM7FXINgSxaTtEfcSss/dpFlA0kWYspMS56Nfyg9/FiGnjFOCF3UO1kHRz Z9XijqGCmQEv1ICOnvOag0pmfhgc8NkTzJhYk6Wfzld6E8gZsKZzeVUpgMgeQBLvfYIn OBOkjElK3FxQtcpLsrbpIrs2b0Pq4RWY6VDmSxlhAVLjQKWc0rx5SNLhfHSm6bJ1Sxo0 PlbCxuqTzr7vniDAUSn/ZTi06ZzrETfsBSdOpJcWiBH/6M7I8xhi16pljzpy2x/VYX3f RZJg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776356882; x=1776961682; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=5saRJRACUrKVG09khw6yNyktdUzYLnpf0xS5TC2JSYI=; b=TA6hZgil1eB98a/p/uguOQMgD1AMiaP6kOTsLiiHNRtmLOEVSYQgUwjCR8hFZL/riy U2s0KrtSSoLWIKhMaMjT9zTAEXomwCGI9jPCMlh9e9vWATR5DIv4iaMFFs09U57EC7TR QdUjHw9j6zsdCfdBu3LN0uaBCuN1+YBGQ4S+itgGkhz5dHQpHRSDXeADP5nDJVv8UEun pdVKzmyNaj+TIKOCoUHaTkEyUEzpB3PuxarBC8Vhqjhp6nUWFbvAr+xgfjc6WtjofH6u fN2stYk++fgBmG7l3q7Eg02whrg22gK2WkV5zwRJDRj2oPEOQekMvhnYcI5ZewUIXf6i Uw5g== X-Forwarded-Encrypted: i=1; AFNElJ8KamqSIdHsBaAgOa853oPozyWsQbUIElrGuVTwMeZtexF4k8lHbhwb7jEj8YTqAOF0isiDxkxn1fnz/3U=@vger.kernel.org X-Gm-Message-State: AOJu0YwPoPZSftdp4WxNMqzfH6DzeDEapIcfSxa4hkgC4XaMY1a3pwCZ /72Wq0KEpTAxmmIdGBJ89B6Dzv5kFO6IFK887wRIiVZV3gE38RW26AbN X-Gm-Gg: AeBDietYDfEgBRPJYDzGrWbEuNVjfXncyT0ywOvbxWJ49LkzQAe9aVLYZ/cKYyouyOK OurktqQrutdGPxY32oexSqMITNJkVWu03UqBsE4oMWXrWa+Z0zxuOvUko8pwmgQbocTjNApk/2O Az1ablcRQ2mPzoRRehqCdPtiMJJPcX/TLb/DPAE2381/31lovoWSQ+pPooQFK1A21TvFBMa4d04 dd4bUR4Me7+dq2dCowW91vob2C82FWqTfexwCG8Ex0AOC/8HpjVmtR452VuPauc7lSg09ri4qhJ JKL9/QvBCuxlLKw6YHlXbFY7Nv6lrcubkPA7/xZOzkvj1Hm9HAH7AqXf1z2o/OYx6QXZKoSZan+ XktvxuNr1yoiGE4X0hu+PbGy7+Noesdf4ZMBnrvUbxdMiiLHkFuo++a5YQ3jGVYHZ3ENpfyoqHE Gbqr/HQNQDDXQpgFvaALzzXvGwcNUA3QEoDeZ71RQxQiMtGFrwzmdnT8hjhSkZmSc5mL2TbPPle TsNUk6Te3jEzT1ERop7ZFe64uQfT+Y= X-Received: by 2002:a05:6a21:3389:b0:398:bbd6:80b9 with SMTP id adf61e73a8af0-39fe3d824f2mr29670119637.23.1776356881767; Thu, 16 Apr 2026 09:28:01 -0700 (PDT) Received: from junjungu-PC.localdomain ([223.167.147.125]) by smtp.gmail.com with ESMTPSA id 41be03b00d2f7-c7957ed03f1sm4899852a12.3.2026.04.16.09.28.00 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 16 Apr 2026 09:28:01 -0700 (PDT) From: Felix Gu Date: Fri, 17 Apr 2026 00:27:54 +0800 Subject: [PATCH 1/2] spi: atcspi200: fix use-after-free when driver unbind Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260417-atcspi-v1-1-854831667d63@gmail.com> References: <20260417-atcspi-v1-0-854831667d63@gmail.com> In-Reply-To: <20260417-atcspi-v1-0-854831667d63@gmail.com> To: CL Wang , Mark Brown Cc: linux-spi@vger.kernel.org, linux-kernel@vger.kernel.org, Felix Gu X-Mailer: b4 0.14.3 X-Developer-Signature: v=1; a=ed25519-sha256; t=1776356879; l=1365; i=ustc.gu@gmail.com; h=from:subject:message-id; bh=an05gz3snFqSWIlqPugud+8QDXGo85nlpAZJRtcNXQM=; b=cjG8jOqLKAqc0lTGEmS/vsVLhr4Xxmy3lD1F7AbH8ZfaDKWDgkpKdiOfBAv2+CznMGceUGzLN iAyqSjcOKkDAfm3kZ0rdLGTRLzbVmsVTbFe7OMlylmgvnzSZ3riLxAM X-Developer-Key: i=ustc.gu@gmail.com; a=ed25519; pk=fjUXwmjchVN7Ja6KGP55IXOzFeCl9edaHoQIEUA+/hw= DMA resource is initialized after SPI controller registration. So when driver unbind, this can trigger a use-after-free when DMA is torn down while the controller is still alive and triggers DMA transfers. Fixes: 34e3815ea459 ("spi: atcspi200: Add ATCSPI200 SPI controller driver") Signed-off-by: Felix Gu --- drivers/spi/spi-atcspi200.c | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/drivers/spi/spi-atcspi200.c b/drivers/spi/spi-atcspi200.c index 3832d9db3cbf..c5cf1aa2d674 100644 --- a/drivers/spi/spi-atcspi200.c +++ b/drivers/spi/spi-atcspi200.c @@ -575,12 +575,6 @@ static int atcspi_probe(struct platform_device *pdev) if (ret) goto free_controller; =20 - ret =3D devm_spi_register_controller(&pdev->dev, host); - if (ret) { - dev_err_probe(spi->dev, ret, - "Failed to register SPI controller\n"); - goto free_controller; - } spi->use_dma =3D false; if (ATCSPI_DMA_SUPPORT) { ret =3D atcspi_configure_dma(spi); @@ -591,6 +585,13 @@ static int atcspi_probe(struct platform_device *pdev) spi->use_dma =3D true; } =20 + ret =3D devm_spi_register_controller(&pdev->dev, host); + if (ret) { + dev_err_probe(spi->dev, ret, + "Failed to register SPI controller\n"); + goto free_controller; + } + return 0; =20 free_controller: --=20 2.43.0 From nobody Tue Jun 16 06:05:01 2026 Received: from mail-pg1-f176.google.com (mail-pg1-f176.google.com [209.85.215.176]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6DED039B974 for ; Thu, 16 Apr 2026 16:28:04 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.215.176 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776356885; cv=none; b=JPG0RdweTATR33z2VzP1DF0qCJybXyneyrc/XxrMyWPDXOr/oQQugV3ZiAEuNU6K8rtWMi0SLzXWwZRrH0SYqds+JJND5B6vTCJRVaUS0EkFQOoiPOm8XG3DinsmrvPvhBLKWXyW6VX9NZab+BvBZla/vkBdkNa46VmbTKAdJGg= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776356885; c=relaxed/simple; bh=FZ6qkpMKVIcbowELRYRBQvoC35yyjFuA/kOKYyZ/2F8=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=UEu0kYIaF8SzmtBeHcdgn3kx+v16CZH7TyLCV1dhsWeT0AG5sz3PlYvihNqf4Nkeu4r+gH0PJEY8q2Js42XIPsfvSZQ6z1WdDA7PU5xUIfvy1zvpFAeGBqsXquEWRzE9qi1mtURhEoy84jZjBv9EepIjNL4poY3gCH/b5BG+e2s= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=LqoTSq/v; arc=none smtp.client-ip=209.85.215.176 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="LqoTSq/v" Received: by mail-pg1-f176.google.com with SMTP id 41be03b00d2f7-c06cb8004e8so3319523a12.0 for ; Thu, 16 Apr 2026 09:28:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1776356884; x=1776961684; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=cSry/j/bHDuu9fpNbbaBULIlYY0NQBFJddY/G6VITfM=; b=LqoTSq/vSHHaTVf9NZnEKPJAp8PmWI4Wjrsca6oHTL9LxVJFYzCao/TZ9RLY0JUu/F TAP3dvGQrHyRH1hu0Ss7ZX46vNDnUp+zJVmr+WKGDK9CefPPWnshvrTIB4IxcOmVP0WE gsmUs4urBBOt/4ThiqRYZqmaRbA+V1333bCndsktE2Lvsdo2Xq9uVCv9GXIYLnqK5ZSY 0FLBeO1z9/j/8ePcMiCVPTbnRuvZLTzw+Newwe7U2j6wxQVyBcYncIcaB5KOKvE50duu ddswq1yio4Gpv3tS1+CUEv2wuIluX7F9DHD8RKzPpri5tw4vRHjbMv8vaZtAWPBuhEnZ PWRA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776356884; x=1776961684; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=cSry/j/bHDuu9fpNbbaBULIlYY0NQBFJddY/G6VITfM=; b=h0edc6JBO5p9xe1t47Pfhz2CssgxH4bSx3Gf1cavCPWm/tw5C13hm9jCmyYwHC9Ddf 3/K4efUUy2A4ZFX8G1O1AQdWbVw0PwGFP00BSmet/uIRoqLE0oXRLlmPCxoB1G6NV45R eHppprVJUr9LmX0Ebk+R5tq9X/ej//N2i8TWbIX7dcXlMFe/tVg5ZzfHVtrQiFoqafl8 zR8SyPvaA3BuLY/kGIafuhYynby/e3AozAcu6RcRvlg7D+PlAhSrYpSDrz2K2n0kGbma t5rVVAxwMD58Zua5dvvMVBdh1Cr+RdGyvTyklVcAy2dN3mzqba+4a/pkvIRNOKLPkIFz tdSA== X-Forwarded-Encrypted: i=1; AFNElJ8B44r0wjPSmid0fL/PQUkIadTTIFW2d5xtHA0BNsuq7m0tYER55LlOE97cK5gRMPNsPMx/meRHFFO+opg=@vger.kernel.org X-Gm-Message-State: AOJu0Yx5mUmPt+CCopglySAh9sl1hDWLFQrYixHe4LuwmezaFEHjVE3p cDPFwDqGpcw88a96S6MZ8fPC2nCQrPowYeCizrK1rU0h0CwrMQs75iDu X-Gm-Gg: AeBDieswD+lOb6qxwDfC2sO8JWEcpC/O/ZqjI1c3AWie5hv+SvoFxo271yl3dk2ds1+ deN1vvzr0UKFBtPbqwDY6fofF/5Y96kLfFdBtx80hgs69NYjsVZRUlpg0YS1NezC3TtsBwJ/Uqx YxKkCzv7ecRPGW1uqk5hEa6F+vr/Pq8yJssRXZeqkUkaZPmJj/eDGYnATjEzFumOamcH1BEZoR5 OqzI08kZl9fgympxj/8Wc4YzTa76Ze8u5lXBonWl9TgHNnltftO65chstSDNCOcNG+2FRTDYO14 uEe80wn/LmcoZrUUWKf8tS30sUcTQSdd1ULKOufudrvNHxsBPaIe7ADoScQ5HKE4+sxxyeBkViO Y150zY2vw30hwC5qzEjw5CPBFWzU9JeQgVwbYpcaCZHRF8TFCK8c5Efzvvaop1x57lJkG1WyYgb QsAjUBX0gyuAKew1wWAUzu8+P8Z3wZPDb6GhgfdDjTxgyH/CMElUGLL2PrCIJnr18Y/50eHVaoA Wgf9AvMv953gDkgdyEN2lH1rxslh7o= X-Received: by 2002:a05:6a20:3d1c:b0:398:8dbb:d1f with SMTP id adf61e73a8af0-39fe4108830mr29897868637.55.1776356883559; Thu, 16 Apr 2026 09:28:03 -0700 (PDT) Received: from junjungu-PC.localdomain ([223.167.147.125]) by smtp.gmail.com with ESMTPSA id 41be03b00d2f7-c7957ed03f1sm4899852a12.3.2026.04.16.09.28.02 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 16 Apr 2026 09:28:03 -0700 (PDT) From: Felix Gu Date: Fri, 17 Apr 2026 00:27:55 +0800 Subject: [PATCH 2/2] spi: atcspi200: switch to devm functions Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260417-atcspi-v1-2-854831667d63@gmail.com> References: <20260417-atcspi-v1-0-854831667d63@gmail.com> In-Reply-To: <20260417-atcspi-v1-0-854831667d63@gmail.com> To: CL Wang , Mark Brown Cc: linux-spi@vger.kernel.org, linux-kernel@vger.kernel.org, Felix Gu X-Mailer: b4 0.14.3 X-Developer-Signature: v=1; a=ed25519-sha256; t=1776356879; l=1911; i=ustc.gu@gmail.com; h=from:subject:message-id; bh=FZ6qkpMKVIcbowELRYRBQvoC35yyjFuA/kOKYyZ/2F8=; b=QLuqZT+7GA4+3UyeKUqZC05mgpQ14rMiwnyfexefXYc7G3zRe5ajp9NIjxkWa5x8KYyRy4cDS B6U0ax8sMynBKEi2q4SRMmMIeDnArOeb4JR2JM47Q4Ybwv3zwEeiLu2 X-Developer-Key: i=ustc.gu@gmail.com; a=ed25519; pk=fjUXwmjchVN7Ja6KGP55IXOzFeCl9edaHoQIEUA+/hw= Switch to use devm_spi_alloc_host and devm_mutex_init to make code clean. Signed-off-by: Felix Gu --- drivers/spi/spi-atcspi200.c | 25 ++++++++++--------------- 1 file changed, 10 insertions(+), 15 deletions(-) diff --git a/drivers/spi/spi-atcspi200.c b/drivers/spi/spi-atcspi200.c index c5cf1aa2d674..6d4b6aeb3f5b 100644 --- a/drivers/spi/spi-atcspi200.c +++ b/drivers/spi/spi-atcspi200.c @@ -550,7 +550,7 @@ static int atcspi_probe(struct platform_device *pdev) struct resource *mem_res; int ret; =20 - host =3D spi_alloc_host(&pdev->dev, sizeof(*spi)); + host =3D devm_spi_alloc_host(&pdev->dev, sizeof(*spi)); if (!host) return -ENOMEM; =20 @@ -559,21 +559,23 @@ static int atcspi_probe(struct platform_device *pdev) spi->dev =3D &pdev->dev; dev_set_drvdata(&pdev->dev, host); =20 - mutex_init(&spi->mutex_lock); + ret =3D devm_mutex_init(&pdev->dev, &spi->mutex_lock); + if (ret) + return ret; =20 ret =3D atcspi_init_resources(pdev, spi, &mem_res); if (ret) - goto free_controller; + return ret; =20 ret =3D atcspi_enable_clk(spi); if (ret) - goto free_controller; + return ret; =20 atcspi_init_controller(pdev, spi, host, mem_res); =20 ret =3D atcspi_setup(spi); if (ret) - goto free_controller; + return ret; =20 spi->use_dma =3D false; if (ATCSPI_DMA_SUPPORT) { @@ -586,18 +588,11 @@ static int atcspi_probe(struct platform_device *pdev) } =20 ret =3D devm_spi_register_controller(&pdev->dev, host); - if (ret) { - dev_err_probe(spi->dev, ret, - "Failed to register SPI controller\n"); - goto free_controller; - } + if (ret) + return dev_err_probe(spi->dev, ret, + "Failed to register SPI controller\n"); =20 return 0; - -free_controller: - mutex_destroy(&spi->mutex_lock); - spi_controller_put(host); - return ret; } =20 static int atcspi_suspend(struct device *dev) --=20 2.43.0