spi: mpc52xx: fix use-after-free on unbind

The state machine work is scheduled by the interrupt handler and
therefore needs to be cancelled after disabling interrupts to avoid a
potential use-after-free.

Fixes: 984836621aad ("spi: mpc52xx: Add cancel_work_sync before module remove")
Cc: stable@vger.kernel.org
Cc: Pei Xiao <xiaopei01@kylinos.cn>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20260414134319.978196-5-johan@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>

diff --git a/drivers/spi/spi-mpc52xx.c b/drivers/spi/spi-mpc52xx.c
index 823b49f8ece2a261815969a99cac074b286d0b72..c8c8e6bdf421dd50b07b98293f0a68bae33c64ab 100644 (file)
--- a/drivers/spi/spi-mpc52xx.c
+++ b/drivers/spi/spi-mpc52xx.c
@@ -519,10 +519,11 @@ static void mpc52xx_spi_remove(struct platform_device *op)
 
        spi_unregister_controller(host);
 
-       cancel_work_sync(&ms->work);
        free_irq(ms->irq0, ms);
        free_irq(ms->irq1, ms);
 
+       cancel_work_sync(&ms->work);
+
        for (i = 0; i < ms->gpio_cs_count; i++)
                gpiod_put(ms->gpio_cs[i]);