The SPI controller API is asymmetric in that a controller is allocated
and registered in two step, while it is freed as part of deregistration.
[1]
This is especially unfortunate as any driver data is freed along with
the controller, something which has lead to use-after-free bugs during
deregistration when drivers tear down resources after deregistering the
controller (or tear down resources that may still be in use before
deregistering the controller in an attempt to work around the API).
To reduce the risk of such bugs being introduced a device managed
allocation interface was added, but this arguably made things even less
consistent as now whether the controller gets freed as part of
deregistration depends on how it was allocated. [2][3]
With most drivers converted to use managed allocation in preparation for
fixing the API, the remaining 16 drivers can be converted in one
tree-wide change. Ten of those drivers use the bitbang interface and can
be converted by simply removing the extra reference already taken by
spi_bitbang_start() (and updating the two bitbang drivers that use
managed allocation). [4]
Fix the API inconsistency by no longer dropping a reference when
deregistering non-devres allocated controllers.
[1]
68b892f1fdc4 ("spi: document odd controller reference handling")
[2]
5e844cc37a5c ("spi: Introduce device-managed SPI controller allocation")
[3]
3f174274d224 ("spi: fix misleading controller deregistration kernel-doc")
[4]
702a4879ec33 ("spi: bitbang: Let spi_bitbang_start() take a reference to master")
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20260521073816.766596-1-johan@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
v4l2_device_disconnect(&dev->v4l2_dev);
video_unregister_device(&dev->vdev);
spi_unregister_controller(dev->ctlr);
+ spi_controller_put(dev->ctlr);
mutex_unlock(&dev->v4l2_lock);
mutex_unlock(&dev->vb_queue_lock);
ctlr->transfer_one_message = msi2500_transfer_one_message;
spi_controller_set_devdata(ctlr, dev);
ret = spi_register_controller(ctlr);
- if (ret) {
- spi_controller_put(ctlr);
- goto err_unregister_v4l2_dev;
- }
+ if (ret)
+ goto err_put_controller;
/* load v4l2 subdevice */
sd = v4l2_spi_new_subdev(&dev->v4l2_dev, ctlr, &board_info);
v4l2_ctrl_handler_free(&dev->hdl);
err_unregister_controller:
spi_unregister_controller(dev->ctlr);
+err_put_controller:
+ spi_controller_put(dev->ctlr);
err_unregister_v4l2_dev:
v4l2_device_unregister(&dev->v4l2_dev);
err_free_mem:
* This routine registers the spi_controller, which will process requests in a
* dedicated task, keeping IRQs unblocked most of the time. To stop
* processing those requests, call spi_bitbang_stop().
- *
- * On success, this routine will take a reference to the controller. The caller
- * is responsible for calling spi_bitbang_stop() to decrement the reference and
- * spi_controller_put() as counterpart of spi_alloc_host() to prevent a memory
- * leak.
*/
int spi_bitbang_start(struct spi_bitbang *bitbang)
{
/* driver may get busy before register() returns, especially
* if someone registered boardinfo for devices
*/
- ret = spi_register_controller(spi_controller_get(ctlr));
- if (ret)
- spi_controller_put(ctlr);
-
- return ret;
+ return spi_register_controller(ctlr);
}
EXPORT_SYMBOL_GPL(spi_bitbang_start);
dw_spi_shutdown_chip(dws);
free_irq(dws->irq, dws->ctlr);
+
+ spi_controller_put(dws->ctlr);
}
EXPORT_SYMBOL_NS_GPL(dw_spi_remove_controller, "SPI_DW_CORE");
dspi_release_dma(dspi);
if (dspi->irq)
free_irq(dspi->irq, dspi);
+
+ spi_controller_put(dspi->ctlr);
}
static void dspi_shutdown(struct platform_device *pdev)
static void mpc52xx_spi_remove(struct platform_device *op)
{
- struct spi_controller *host = spi_controller_get(platform_get_drvdata(op));
+ struct spi_controller *host = platform_get_drvdata(op);
struct mpc52xx_spi *ms = spi_controller_get_devdata(host);
int i;
dev_dbg(&plat_dev->dev, "%s:[ch%d] irq=%d\n",
__func__, plat_dev->id, board_dat->pdev->irq);
- spi_controller_get(data->host);
-
spi_unregister_controller(data->host);
/* check for any pending messages; no action is taken if the queue
xspi->write_fn(0, regs_base + XIPIF_V123B_IIER_OFFSET);
/* Disable the global IPIF interrupt */
xspi->write_fn(0, regs_base + XIPIF_V123B_DGIER_OFFSET);
-
- spi_controller_put(xspi->bitbang.ctlr);
}
/* work with hotplug and coldplug */
struct xtfpga_spi *xspi = spi_controller_get_devdata(host);
spi_bitbang_stop(&xspi->bitbang);
- spi_controller_put(host);
}
MODULE_ALIAS("platform:" XTFPGA_SPI_NAME);
* This must be called from context that can sleep.
*
* The caller is responsible for assigning the bus number and initializing the
- * controller's methods before calling spi_register_controller(); and (after
- * errors adding the device) calling spi_controller_put() to prevent a memory
- * leak.
+ * controller's methods before calling spi_register_controller(); and calling
+ * spi_controller_put() to prevent a memory leak when done with the
+ * controller.
*
* Return: the SPI controller structure on success, else NULL.
*/
if (ret)
return NULL;
- ctlr->devm_allocated = true;
-
return ctlr;
}
EXPORT_SYMBOL_GPL(__devm_spi_alloc_controller);
* Context: can sleep
*
* Register a SPI device as with spi_register_controller() which will
- * automatically be unregistered (and freed unless it has been allocated using
- * devm_spi_alloc_host/target()).
+ * automatically be unregistered.
*
* Return: zero on success, else a negative error code.
*/
if (ret)
return ret;
- /*
- * Prevent controller from being freed by spi_unregister_controller()
- * if devm_add_action_or_reset() fails for a non-devres allocated
- * controller.
- */
- spi_controller_get(ctlr);
-
- ret = devm_add_action_or_reset(dev, devm_spi_unregister_controller, ctlr);
-
- if (ret == 0 || ctlr->devm_allocated)
- spi_controller_put(ctlr);
-
- return ret;
+ return devm_add_action_or_reset(dev, devm_spi_unregister_controller, ctlr);
}
EXPORT_SYMBOL_GPL(devm_spi_register_controller);
* only ones directly touching chip registers.
*
* This must be called from context that can sleep.
- *
- * Note that this function also drops a reference to the controller unless it
- * has been allocated using devm_spi_alloc_host/target().
*/
void spi_unregister_controller(struct spi_controller *ctlr)
{
if (IS_ENABLED(CONFIG_SPI_DYNAMIC))
mutex_unlock(&ctlr->add_lock);
-
- /*
- * Release the last reference on the controller if its driver
- * has not yet been converted to devm_spi_alloc_host/target().
- */
- if (!ctlr->devm_allocated)
- put_device(&ctlr->dev);
}
EXPORT_SYMBOL_GPL(spi_unregister_controller);
return 0;
-exit_spi_put:
- spi_controller_put(ctlr);
-
- return ret;
-
exit_spi_unregister:
spi_unregister_controller(ctlr);
+exit_spi_put:
+ spi_controller_put(ctlr);
return ret;
}
struct spi_controller *ctlr = gb_connection_get_data(connection);
spi_unregister_controller(ctlr);
+ spi_controller_put(ctlr);
}
EXPORT_SYMBOL_GPL(gb_spilib_master_exit);
* @flags: other constraints relevant to this driver
* @slave: indicates that this is an SPI slave controller
* @target: indicates that this is an SPI target controller
- * @devm_allocated: whether the allocation of this struct is devres-managed
* @max_transfer_size: function that returns the max transfer size for
* a &spi_device; may be %NULL, so the default %SIZE_MAX will be used.
* @max_message_size: function that returns the max message size for
*/
#define SPI_CONTROLLER_MULTI_CS BIT(7)
- /* Flag indicating if the allocation of this struct is devres-managed */
- bool devm_allocated;
-
union {
/* Flag indicating this is an SPI slave controller */
bool slave;
projects / thirdparty / kernel / linux.git / commitdiff
