Re: [PATCH spi] spi: spi-fsl-lpspi: fix teardown order issue (UAF)

[Marc Kleine-Budde]

On 24.03.2026 11:05:11, Frank Li wrote:
> On Thu, Mar 19, 2026 at 07:38:12PM +0100, Marc Kleine-Budde wrote:
> > There is a teardown order issue in the driver. The SPI controller is
> > registered using devm_spi_register_controller(), which delays
> > unregistration of the SPI controller until after the fsl_lpspi_remove()
> > function returns.
> >
> > As the fsl_lpspi_remove() function synchronously tears down the DMA
> > channels, a running SPI transfer triggers the following NULL pointer
> > dereference due to use after free:
> >
> > | fsl_lpspi 42550000.spi: I/O Error in DMA RX
> > | Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
> > [...]
> > | Call trace:
> > |  fsl_lpspi_dma_transfer+0x260/0x340 [spi_fsl_lpspi]
> > |  fsl_lpspi_transfer_one+0x198/0x448 [spi_fsl_lpspi]
> > |  spi_transfer_one_message+0x49c/0x7c8
> > |  __spi_pump_transfer_message+0x120/0x420
> > |  __spi_sync+0x2c4/0x520
> > |  spi_sync+0x34/0x60
> > |  spidev_message+0x20c/0x378 [spidev]
> > |  spidev_ioctl+0x398/0x750 [spidev]
> > [...]
> >
> > Switch from devm_spi_register_controller() to spi_register_controller() in
> > fsl_lpspi_probe() and add the corresponding spi_unregister_controller() in
> > fsl_lpspi_remove().
>
> Feel like it is not correct's fix. devm_spi_register_controller() is quite
> common, other SPI controller should have similar problem.

Have a look at the remove function:

| static void fsl_lpspi_remove(struct platform_device *pdev)
| {
| 	struct spi_controller *controller = platform_get_drvdata(pdev);
| 	struct fsl_lpspi_data *fsl_lpspi =
| 				spi_controller_get_devdata(controller);
|
| 	fsl_lpspi_dma_exit(controller);

It first cleans up the DMA support, but the controller is still
registered. In my use case the /dev/spiX.Y is still active and my test
program can still issue a SPI transfer.

|
| 	pm_runtime_dont_use_autosuspend(fsl_lpspi->dev);
| 	pm_runtime_disable(fsl_lpspi->dev);
| }

The patch unregisters the SPI controller prior the tearing down thee DMA
support.

Another options would be to push everything in the fsl_lpspi_remove() to
devm, too.

regards,
Marc

-- 
Pengutronix e.K.                 | Marc Kleine-Budde          |
Embedded Linux                   | https://www.pengutronix.de |
Vertretung Nürnberg              | Phone: +49-5121-206917-129 |
Amtsgericht Hildesheim, HRA 2686 | Fax:   +49-5121-206917-9   |

Attachment: signature.asc
Description: PGP signature