Message ID | 1f16f8ae0e50ca9adb1dc849bf2ac65a40c9ceb9.1732783000.git.xiaopei01@kylinos.cn |
---|---|
State | Accepted |
Commit | 984836621aad98802d92c4a3047114cf518074c8 |
Headers | show |
Series | spi: mpc52xx: Add cancel_work_sync before module remove | expand |
On Thu, 28 Nov 2024 16:38:17 +0800, Pei Xiao wrote: > If we remove the module which will call mpc52xx_spi_remove > it will free 'ms' through spi_unregister_controller. > while the work ms->work will be used. The sequence of operations > that may lead to a UAF bug. > > Fix it by ensuring that the work is canceled before proceeding with > the cleanup in mpc52xx_spi_remove. > > [...] Applied to https://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi.git for-next Thanks! [1/1] spi: mpc52xx: Add cancel_work_sync before module remove commit: 984836621aad98802d92c4a3047114cf518074c8 All being well this means that it will be integrated into the linux-next tree (usually sometime in the next 24 hours) and sent to Linus during the next merge window (or sooner if it is a bug fix), however if problems are discovered then the patch may be dropped or reverted. You may get further e-mails resulting from automated or manual testing and review of the tree, please engage with people reporting problems and send followup patches addressing any issues that are reported if needed. If any updates are required or you are submitting further changes they should be sent as incremental updates against current git, existing patches will not be replaced. Please add any relevant lists and maintainers to the CCs when replying to this mail. Thanks, Mark
diff --git a/drivers/spi/spi-mpc52xx.c b/drivers/spi/spi-mpc52xx.c index 036bfb7bf189..6d4dde15ac54 100644 --- a/drivers/spi/spi-mpc52xx.c +++ b/drivers/spi/spi-mpc52xx.c @@ -520,6 +520,7 @@ static void mpc52xx_spi_remove(struct platform_device *op) struct mpc52xx_spi *ms = spi_controller_get_devdata(host); int i; + cancel_work_sync(&ms->work); free_irq(ms->irq0, ms); free_irq(ms->irq1, ms);
If we remove the module which will call mpc52xx_spi_remove it will free 'ms' through spi_unregister_controller. while the work ms->work will be used. The sequence of operations that may lead to a UAF bug. Fix it by ensuring that the work is canceled before proceeding with the cleanup in mpc52xx_spi_remove. Fixes: ca632f556697 ("spi: reorganize drivers") Signed-off-by: Pei Xiao <xiaopei01@kylinos.cn> --- drivers/spi/spi-mpc52xx.c | 1 + 1 file changed, 1 insertion(+)