spi: mpc52xx: fix use-after-free on unbind

commit 706b3dc2ac7a998c55e14b3fd2e8f934c367e6e0 upstream.

The state machine work is scheduled by the interrupt handler and
therefore needs to be cancelled after disabling interrupts to avoid a
potential use-after-free.

Fixes: 984836621aad ("spi: mpc52xx: Add cancel_work_sync before module remove")
Cc: stable@vger.kernel.org
Cc: Pei Xiao <xiaopei01@kylinos.cn>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20260414134319.978196-5-johan@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/spi/spi-mpc52xx.c b/drivers/spi/spi-mpc52xx.c
index 157228562d65d83f89363b3189f92c23fe4a74f2..924d820448fb4a5e5b8d3fb125fca94cb27ec863 100644 (file)
--- a/drivers/spi/spi-mpc52xx.c
+++ b/drivers/spi/spi-mpc52xx.c
@@ -522,10 +522,11 @@ static void mpc52xx_spi_remove(struct platform_device *op)
 
        spi_unregister_controller(host);
 
-       cancel_work_sync(&ms->work);
        free_irq(ms->irq0, ms);
        free_irq(ms->irq1, ms);
 
+       cancel_work_sync(&ms->work);
+
        for (i = 0; i < ms->gpio_cs_count; i++)
                gpiod_put(ms->gpio_cs[i]);