spi: spidev: fix a race between spidev_release and spidev_remove
[ Upstream commit abd42781c3
]
Imagine below scene, spidev is referenced after it's freed.
spidev_release() spidev_remove()
...
spin_lock_irq(&spidev->spi_lock);
spidev->spi = NULL;
spin_unlock_irq(&spidev->spi_lock);
mutex_lock(&device_list_lock);
dofree = (spidev->spi == NULL);
if (dofree)
kfree(spidev);
mutex_unlock(&device_list_lock);
mutex_lock(&device_list_lock);
list_del(&spidev->device_entry);
device_destroy(spidev_class, spidev->devt);
clear_bit(MINOR(spidev->devt), minors);
if (spidev->users == 0)
kfree(spidev);
mutex_unlock(&device_list_lock);
Fix it by resetting spidev->spi in device_list_lock's protection.
Signed-off-by: Zhenzhong Duan <zhenzhong.duan@gmail.com>
Link: https://lore.kernel.org/r/20200618032125.4650-1-zhenzhong.duan@gmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
5.4-rM2-2.2.x-imx-squashed
parent
44b6e192e0
commit
010de57181
|
@ -783,13 +783,13 @@ static int spidev_remove(struct spi_device *spi)
|
|||
{
|
||||
struct spidev_data *spidev = spi_get_drvdata(spi);
|
||||
|
||||
/* prevent new opens */
|
||||
mutex_lock(&device_list_lock);
|
||||
/* make sure ops on existing fds can abort cleanly */
|
||||
spin_lock_irq(&spidev->spi_lock);
|
||||
spidev->spi = NULL;
|
||||
spin_unlock_irq(&spidev->spi_lock);
|
||||
|
||||
/* prevent new opens */
|
||||
mutex_lock(&device_list_lock);
|
||||
list_del(&spidev->device_entry);
|
||||
device_destroy(spidev_class, spidev->devt);
|
||||
clear_bit(MINOR(spidev->devt), minors);
|
||||
|
|
Loading…
Reference in New Issue