spi: atcspi200: fix use-after-free when driver unbind

DMA resource is initialized after SPI controller registration. So
when driver unbind, this can trigger a use-after-free when DMA is
torn down while the controller is still alive and triggers DMA transfers.

Fixes: 34e3815ea459 ("spi: atcspi200: Add ATCSPI200 SPI controller driver")
Signed-off-by: Felix Gu <ustc.gu@gmail.com>
Link: https://patch.msgid.link/20260417-atcspi-v1-1-854831667d63@gmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>

diff --git a/drivers/spi/spi-atcspi200.c b/drivers/spi/spi-atcspi200.c
index 3832d9db3cbf8452edf46ef88612b77f9b8730d1..c5cf1aa2d6743878ffb8cf08b33fe7c5877ec711 100644 (file)
--- a/drivers/spi/spi-atcspi200.c
+++ b/drivers/spi/spi-atcspi200.c
@@ -575,12 +575,6 @@ static int atcspi_probe(struct platform_device *pdev)
        if (ret)
                goto free_controller;
 
-       ret = devm_spi_register_controller(&pdev->dev, host);
-       if (ret) {
-               dev_err_probe(spi->dev, ret,
-                             "Failed to register SPI controller\n");
-               goto free_controller;
-       }
        spi->use_dma = false;
        if (ATCSPI_DMA_SUPPORT) {
                ret = atcspi_configure_dma(spi);
@@ -591,6 +585,13 @@ static int atcspi_probe(struct platform_device *pdev)
                        spi->use_dma = true;
        }
 
+       ret = devm_spi_register_controller(&pdev->dev, host);
+       if (ret) {
+               dev_err_probe(spi->dev, ret,
+                             "Failed to register SPI controller\n");
+               goto free_controller;
+       }
+
        return 0;
 
 free_controller: