Unverified Commit dee0774b authored by Johan Hovold's avatar Johan Hovold Committed by Mark Brown
Browse files

spi: fix statistics allocation 



The controller per-cpu statistics is not allocated until after the
controller has been registered with driver core, which leaves a window
where accessing the sysfs attributes can trigger a NULL-pointer
dereference.

Fix this by moving the statistics allocation to controller allocation
while tying its lifetime to that of the controller (rather than using
implicit devres).

Fixes: 6598b91b ("spi: spi.c: Convert statistics to per-cpu u64_stats_t")
Cc: stable@vger.kernel.org	# 6.0
Cc: David Jander <david@protonic.nl>
Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
Link: https://patch.msgid.link/20260312151817.32100-3-johan@kernel.org


Signed-off-by: default avatarMark Brown <broonie@kernel.org>
parent 8634e05b

drivers/spi/spi.c

+8 −9
Original line number Diff line number Diff line
@@ -3049,6 +3049,8 @@ static void spi_controller_release(struct device *dev) 
	struct spi_controller *ctlr;



	ctlr = container_of(dev, struct spi_controller, dev);



	free_percpu(ctlr->pcpu_statistics);

	kfree(ctlr);

}
@@ -3192,6 +3194,12 @@ struct spi_controller *__spi_alloc_controller(struct device *dev, 
	if (!ctlr)

		return NULL;



	ctlr->pcpu_statistics = spi_alloc_pcpu_stats(NULL);

	if (!ctlr->pcpu_statistics) {

		kfree(ctlr);

		return NULL;

	}



	device_initialize(&ctlr->dev);

	INIT_LIST_HEAD(&ctlr->queue);

	spin_lock_init(&ctlr->queue_lock);
@@ -3483,13 +3491,6 @@ int spi_register_controller(struct spi_controller *ctlr) 
		if (status)

			goto del_ctrl;

	}

	/* Add statistics */

	ctlr->pcpu_statistics = spi_alloc_pcpu_stats(dev);

	if (!ctlr->pcpu_statistics) {

		dev_err(dev, "Error allocating per-cpu statistics\n");

		status = -ENOMEM;

		goto destroy_queue;

	}



	mutex_lock(&board_lock);

	list_add_tail(&ctlr->list, &spi_controller_list);
@@ -3502,8 +3503,6 @@ int spi_register_controller(struct spi_controller *ctlr) 
	acpi_register_spi_devices(ctlr);

	return status;



destroy_queue:

	spi_destroy_queue(ctlr);

del_ctrl:

	device_del(&ctlr->dev);

free_bus_id: