From e957c96455e8f4c630d5e374312cad0633ca7e17 Mon Sep 17 00:00:00 2001 From: David Lechner Date: Wed, 12 Feb 2025 11:33:13 -0600 Subject: [PATCH] spi: offload: fix use after free Fix a use after free bug in devm_spi_offload_get() where a pointer was dereferenced after being freed. Instead, add a new local variable to avoid needing to use the resource pointer to access the offload pointer. Reported-by: kernel test robot Reported-by: Dan Carpenter Closes: https://lore.kernel.org/r/202502112344.7ggtFzyn-lkp@intel.com/ Fixes: 5a19e1985d01 ("spi: axi-spi-engine: implement offload support") Signed-off-by: David Lechner Link: https://patch.msgid.link/20250212-spi-offload-fixes-v1-2-e192c69e3bb3@baylibre.com Signed-off-by: Mark Brown --- drivers/spi/spi-offload.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/drivers/spi/spi-offload.c b/drivers/spi/spi-offload.c index df5e963d5ee2..6bad042fe437 100644 --- a/drivers/spi/spi-offload.c +++ b/drivers/spi/spi-offload.c @@ -108,6 +108,7 @@ struct spi_offload *devm_spi_offload_get(struct device *dev, const struct spi_offload_config *config) { struct spi_controller_and_offload *resource; + struct spi_offload *offload; int ret; if (!spi || !config) @@ -120,18 +121,20 @@ struct spi_offload *devm_spi_offload_get(struct device *dev, if (!resource) return ERR_PTR(-ENOMEM); - resource->controller = spi->controller; - resource->offload = spi->controller->get_offload(spi, config); - if (IS_ERR(resource->offload)) { + offload = spi->controller->get_offload(spi, config); + if (IS_ERR(offload)) { kfree(resource); - return resource->offload; + return offload; } + resource->controller = spi->controller; + resource->offload = offload; + ret = devm_add_action_or_reset(dev, spi_offload_put, resource); if (ret) return ERR_PTR(ret); - return resource->offload; + return offload; } EXPORT_SYMBOL_GPL(devm_spi_offload_get);