From nobody Fri Sep 20 01:29:24 2024 Received: from mail-yw1-f179.google.com (mail-yw1-f179.google.com [209.85.128.179]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5F18C3A1DE for ; Thu, 21 Mar 2024 06:51:17 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.179 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1711003878; cv=none; b=NiTpV8Mh4QZb2EaQNLZkW3YE09mYX66KT6dmyTxUuv+1VR452wyFcgasmQj4ADATvtO8ibrElIFUD75hJNP1PX/uk4eAe0JLSPgkJEpj0qORPN0JMtoGexJr6Y8o2f9eRZgzul9+1J5YQsadzR/NQXPWrWrDreC7kJSeLKc0OO4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1711003878; c=relaxed/simple; bh=oRcLB9dQPwGzVPKTKr0KY9BPsfc919ssadAASAAgBzQ=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=A0TGI4GwwBB2WEnPUw66UoUdielZjn/dzWqONl4A+AQZFr1+IzHwAIfW4nxx6bZr3jeqg+1Yi0t9BeEY5JpfkklMDcRaYAi1Og5kGS3gghq9054/phubAoSDIqb0VSuuQ13fs4Xz8P7UXkIdEH4Hruse09SWnIJpfrFO580zp+c= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org; spf=pass smtp.mailfrom=chromium.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b=X6aA+Rda; arc=none smtp.client-ip=209.85.128.179 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=chromium.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="X6aA+Rda" Received: by mail-yw1-f179.google.com with SMTP id 00721157ae682-610e3f906acso6916707b3.3 for ; Wed, 20 Mar 2024 23:51:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1711003876; x=1711608676; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=ZBiGSHa0oimyE1MM5zUN6LTK3eAVLs8v7Z76nGxN0a8=; b=X6aA+RdaS8IYpJgopFovy8fVPdHXOOR4OKeCow6u0ujZp+mptwNKJzrSmvZ4vuc0/t r1/cY25yn+YZ4D5D+UvH+eVeqLGIBHCDK2WFx548jpfs8leAjsCesT2MzZM5E0Ph5hS1 uDzaqMeGj26OFatLOqQ38xnV4uYMf0+eO0e1s= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1711003876; x=1711608676; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=ZBiGSHa0oimyE1MM5zUN6LTK3eAVLs8v7Z76nGxN0a8=; b=CphhoLEspRdzI6gPNPyYrUr+3jpnfDyfmzO0rv20unTQW+nmLv5th5uHjBm+mgUvg2 h/tvWPrzt3MEq3wxI63hbnNwUX0orXIJvg1kdNERj0qp24jWlqlN1pk99gPXYwt00dxB 3sd0WILDvah/MLnY/piJy0Def+a1108laJbzhYEUxTF9YBENcXZbKb+eD7qJa3/s3yMC 0SIA+39GMttIvumUE2A5rrUFhf8l8Da5Iee/1uP5ZThqEdgnPwDqfrAjrft8cvj794lR KmLgjNGUyI03/T9j8dNamY2B1VmW06DGGgozaBrTGHsOENFMpyk0C1RgnyzfN8sVNH7z VAnQ== X-Forwarded-Encrypted: i=1; AJvYcCVJAf/rhqKEPw/NuF0ktJ6UBdIkUC3b96kXmTXvi1vGb4yaDSkr9iTGCgXvBI3bI3+VofYU0f/nHGUC0rplZkNEzzaPZHLB5jz2ShiW X-Gm-Message-State: AOJu0YxFlN3gB2BM5C+Rb6txlikVvHcNW0zsI0NpBIAL7U6TgNU1HGEV XWdpzcw/p3aIFcLK+vfcJAM5XDzTru2xkE5/SHALhXuly7F1xSszf28wJFzIgBMJb3ICZt38GwM = X-Google-Smtp-Source: AGHT+IEEEIHKCYtjOYJVfRhVwN68KX9lfipwtZ2TMyYDdaLt1ht07nRcowYnTodrhLwxJsrplM2RyQ== X-Received: by 2002:a05:6a21:a586:b0:1a3:6a4c:80a9 with SMTP id gd6-20020a056a21a58600b001a36a4c80a9mr11624698pzc.1.1711003409539; Wed, 20 Mar 2024 23:43:29 -0700 (PDT) Received: from fshao-p620.tpe.corp.google.com ([2401:fa00:1:10:c1ff:a4cf:ac35:8df6]) by smtp.gmail.com with ESMTPSA id lb3-20020a056a004f0300b006e664031f10sm12874938pfb.51.2024.03.20.23.43.27 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 20 Mar 2024 23:43:29 -0700 (PDT) From: Fei Shao To: Mark Brown , AngeloGioacchino Del Regno Cc: Fei Shao , Daniel Kurtz , Matthias Brugger , linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org, linux-mediatek@lists.infradead.org, linux-spi@vger.kernel.org Subject: [PATCH 1/2] spi: spi-mt65xx: Fix NULL pointer access in interrupt handler Date: Thu, 21 Mar 2024 14:41:01 +0800 Message-ID: <20240321064313.1385316-2-fshao@chromium.org> X-Mailer: git-send-email 2.44.0.396.g6e790dbe36-goog In-Reply-To: <20240321064313.1385316-1-fshao@chromium.org> References: <20240321064313.1385316-1-fshao@chromium.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" The TX buffer in spi_transfer can be a NULL pointer, so the interrupt handler may end up writing to the invalid memory and cause crashes. Add a check to xfer->tx_buf before using it. Fixes: 1ce24864bff4 ("spi: mediatek: Only do dma for 4-byte aligned buffers= ") Signed-off-by: Fei Shao --- drivers/spi/spi-mt65xx.c | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/drivers/spi/spi-mt65xx.c b/drivers/spi/spi-mt65xx.c index 8d4633b353ee..86ea822c942b 100644 --- a/drivers/spi/spi-mt65xx.c +++ b/drivers/spi/spi-mt65xx.c @@ -788,17 +788,18 @@ static irqreturn_t mtk_spi_interrupt(int irq, void *d= ev_id) mdata->xfer_len =3D min(MTK_SPI_MAX_FIFO_SIZE, len); mtk_spi_setup_packet(host); =20 - cnt =3D mdata->xfer_len / 4; - iowrite32_rep(mdata->base + SPI_TX_DATA_REG, - trans->tx_buf + mdata->num_xfered, cnt); + if (trans->tx_buf) { + cnt =3D mdata->xfer_len / 4; + iowrite32_rep(mdata->base + SPI_TX_DATA_REG, + trans->tx_buf + mdata->num_xfered, cnt); =20 - remainder =3D mdata->xfer_len % 4; - if (remainder > 0) { - reg_val =3D 0; - memcpy(®_val, - trans->tx_buf + (cnt * 4) + mdata->num_xfered, - remainder); - writel(reg_val, mdata->base + SPI_TX_DATA_REG); + remainder =3D mdata->xfer_len % 4; + if (remainder > 0) { + reg_val =3D 0; + memcpy(®_val, + trans->tx_buf + (cnt * 4) + mdata->num_xfered, + remainder); + writel(reg_val, mdata->base + SPI_TX_DATA_REG); } =20 mtk_spi_enable_transfer(host); --=20 2.44.0.396.g6e790dbe36-goog From nobody Fri Sep 20 01:29:24 2024 Received: from mail-pf1-f170.google.com (mail-pf1-f170.google.com [209.85.210.170]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 73349883C for ; Thu, 21 Mar 2024 06:43:32 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.170 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1711003415; cv=none; b=cNbb2USz88U+UJppz0BpbLqPRW+5vEvrpu58k8yoANFc6JIdqo7POSuGbZdleF+VCHmS1KYLTDDMk0T7vVTWjeIEXYiHDLdFZaG77Ukqqujq+78Pz7kPk0+4QsNeeVNqky9wEpo8RtEs28fQZ9msTujGXVRdoLwV5th5vA7+5GI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1711003415; c=relaxed/simple; bh=2r9XByB3vYDZKrvWS7vNR+6OZXVhNEmiyzpGd2OOabA=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=sCIbinV/zZKDUn0Fmj25CK60DS9Y2fRIELiCXgxSFPtgwhOy5CFR8NlcGTYZ1MwQ2A5Y7jL2dSBFLZvXl8PSAdiX8Ee94Ds+1hoN+dkVyV8jCZZQXGdT2j+S7FGG8a/LZNr4aJsotx3D+p63/tThjvDL5GHYjO0Gp22gGIYlhYk= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org; spf=pass smtp.mailfrom=chromium.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b=OGJKOYuB; arc=none smtp.client-ip=209.85.210.170 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=chromium.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="OGJKOYuB" Received: by mail-pf1-f170.google.com with SMTP id d2e1a72fcca58-6e6ee9e3cffso432261b3a.1 for ; Wed, 20 Mar 2024 23:43:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1711003412; x=1711608212; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=MZAfwv86coCz5ya7gMWl0Ox3qdQ9eNNNMvWYUUmsfUA=; b=OGJKOYuBz2Xa7XxplTPF4Xwaa1B1RqoKy4sXK0W/dQa6WEBp2+JTMpXk2x/QElkDqb ljYje0K5u8O3NL+/I/ebqXr9tzYiDgNTa3rPErQTGbLDLQWGHOFh2irm0zrLZiOBmuNq dICHxMXu6IFMGP25DDF7+yyr/WCOklVTp+xQ8= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1711003412; x=1711608212; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=MZAfwv86coCz5ya7gMWl0Ox3qdQ9eNNNMvWYUUmsfUA=; b=YitNeJV6IAGM06HwT1Q++Bfsd/vUZcLBsDOMfeEKvTg3IYjP6NA3TrlPdpGPFRaile mMWGa9wSUeVUZI5/mPvOTUYmqvqFdOxQE0Lhh2G7cbKh+mgL79IsjOr6XztUB/seZlF4 n+RceD/Fe7rn8OkNqMG4Yc+e/yM6AOefu2EI6ayR/2Y5HRljPCC/EMJnqw42cemF5e88 vhTVPUiUqaXQPi4oYFvJrCVhlbejigRqASoE1DgagbyRBQ6yLGS9cFFt1bqlS5YhqbN3 uYkSHDcRfBQuSslyA+W5bVCVWgg6yFlGCmFzvrfC8kto/yzsB7sNkDPXlxTSuK6gn0Vv sH0A== X-Forwarded-Encrypted: i=1; AJvYcCVkbynxG8fRcPRbPEfU8KEbA1l/kJRX+UOgSZj+FdW/y4gi3F+emmV/rCfl3VAx/n2H5033p0Fh0guqhspR+SmMCph2MehW8Rmwko1p X-Gm-Message-State: AOJu0Yy+vKIM7VPRXVy8emsubaxtjVSCas7BkA7mBxkLnnI+1Xk9Y1JX i5+wbj/L1tF5Bk33ZrywhHcGjYr0T+VZ/xGH90limCI+uGVrs8dy3XnBuXeshg== X-Google-Smtp-Source: AGHT+IHJ7XBfPwZHrNtWiP2YqVZanIquFTWV/V+ARNJsur65k8HYfqQbCwDBftzvaRVLDOior2pzIg== X-Received: by 2002:a05:6a00:2d1e:b0:6e6:c73b:bec2 with SMTP id fa30-20020a056a002d1e00b006e6c73bbec2mr2482638pfb.14.1711003411802; Wed, 20 Mar 2024 23:43:31 -0700 (PDT) Received: from fshao-p620.tpe.corp.google.com ([2401:fa00:1:10:c1ff:a4cf:ac35:8df6]) by smtp.gmail.com with ESMTPSA id lb3-20020a056a004f0300b006e664031f10sm12874938pfb.51.2024.03.20.23.43.29 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 20 Mar 2024 23:43:31 -0700 (PDT) From: Fei Shao To: Mark Brown , AngeloGioacchino Del Regno Cc: Fei Shao , Matthias Brugger , linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org, linux-mediatek@lists.infradead.org, linux-spi@vger.kernel.org Subject: [PATCH 2/2] spi: spi-mt65xx: Rename a variable in interrupt handler Date: Thu, 21 Mar 2024 14:41:02 +0800 Message-ID: <20240321064313.1385316-3-fshao@chromium.org> X-Mailer: git-send-email 2.44.0.396.g6e790dbe36-goog In-Reply-To: <20240321064313.1385316-1-fshao@chromium.org> References: <20240321064313.1385316-1-fshao@chromium.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" All the spi_transfer variables in this file use the name "xfer" except the one in mtk_spi_interrupt(). Align the naming for consistency and easier searching. While at it, reformat one memcpy() usage since the coding style allows 100 column lines today. This commit has no functional change. Signed-off-by: Fei Shao --- drivers/spi/spi-mt65xx.c | 32 +++++++++++++++----------------- 1 file changed, 15 insertions(+), 17 deletions(-) diff --git a/drivers/spi/spi-mt65xx.c b/drivers/spi/spi-mt65xx.c index 86ea822c942b..aaa0006a02a3 100644 --- a/drivers/spi/spi-mt65xx.c +++ b/drivers/spi/spi-mt65xx.c @@ -748,7 +748,7 @@ static irqreturn_t mtk_spi_interrupt(int irq, void *dev= _id) u32 cmd, reg_val, cnt, remainder, len; struct spi_controller *host =3D dev_id; struct mtk_spi *mdata =3D spi_controller_get_devdata(host); - struct spi_transfer *trans =3D mdata->cur_transfer; + struct spi_transfer *xfer =3D mdata->cur_transfer; =20 reg_val =3D readl(mdata->base + SPI_STATUS0_REG); if (reg_val & MTK_SPI_PAUSE_INT_STATUS) @@ -762,42 +762,40 @@ static irqreturn_t mtk_spi_interrupt(int irq, void *d= ev_id) return IRQ_HANDLED; } =20 - if (!host->can_dma(host, NULL, trans)) { - if (trans->rx_buf) { + if (!host->can_dma(host, NULL, xfer)) { + if (xfer->rx_buf) { cnt =3D mdata->xfer_len / 4; ioread32_rep(mdata->base + SPI_RX_DATA_REG, - trans->rx_buf + mdata->num_xfered, cnt); + xfer->rx_buf + mdata->num_xfered, cnt); remainder =3D mdata->xfer_len % 4; if (remainder > 0) { reg_val =3D readl(mdata->base + SPI_RX_DATA_REG); - memcpy(trans->rx_buf + - mdata->num_xfered + - (cnt * 4), + memcpy(xfer->rx_buf + (cnt * 4) + mdata->num_xfered, ®_val, remainder); } } =20 mdata->num_xfered +=3D mdata->xfer_len; - if (mdata->num_xfered =3D=3D trans->len) { + if (mdata->num_xfered =3D=3D xfer->len) { spi_finalize_current_transfer(host); return IRQ_HANDLED; } =20 - len =3D trans->len - mdata->num_xfered; + len =3D xfer->len - mdata->num_xfered; mdata->xfer_len =3D min(MTK_SPI_MAX_FIFO_SIZE, len); mtk_spi_setup_packet(host); =20 - if (trans->tx_buf) { + if (xfer->tx_buf) { cnt =3D mdata->xfer_len / 4; iowrite32_rep(mdata->base + SPI_TX_DATA_REG, - trans->tx_buf + mdata->num_xfered, cnt); + xfer->tx_buf + mdata->num_xfered, cnt); =20 remainder =3D mdata->xfer_len % 4; if (remainder > 0) { reg_val =3D 0; memcpy(®_val, - trans->tx_buf + (cnt * 4) + mdata->num_xfered, + xfer->tx_buf + (cnt * 4) + mdata->num_xfered, remainder); writel(reg_val, mdata->base + SPI_TX_DATA_REG); } @@ -808,21 +806,21 @@ static irqreturn_t mtk_spi_interrupt(int irq, void *d= ev_id) } =20 if (mdata->tx_sgl) - trans->tx_dma +=3D mdata->xfer_len; + xfer->tx_dma +=3D mdata->xfer_len; if (mdata->rx_sgl) - trans->rx_dma +=3D mdata->xfer_len; + xfer->rx_dma +=3D mdata->xfer_len; =20 if (mdata->tx_sgl && (mdata->tx_sgl_len =3D=3D 0)) { mdata->tx_sgl =3D sg_next(mdata->tx_sgl); if (mdata->tx_sgl) { - trans->tx_dma =3D sg_dma_address(mdata->tx_sgl); + xfer->tx_dma =3D sg_dma_address(mdata->tx_sgl); mdata->tx_sgl_len =3D sg_dma_len(mdata->tx_sgl); } } if (mdata->rx_sgl && (mdata->rx_sgl_len =3D=3D 0)) { mdata->rx_sgl =3D sg_next(mdata->rx_sgl); if (mdata->rx_sgl) { - trans->rx_dma =3D sg_dma_address(mdata->rx_sgl); + xfer->rx_dma =3D sg_dma_address(mdata->rx_sgl); mdata->rx_sgl_len =3D sg_dma_len(mdata->rx_sgl); } } @@ -840,7 +838,7 @@ static irqreturn_t mtk_spi_interrupt(int irq, void *dev= _id) =20 mtk_spi_update_mdata_len(host); mtk_spi_setup_packet(host); - mtk_spi_setup_dma_addr(host, trans); + mtk_spi_setup_dma_addr(host, xfer); mtk_spi_enable_transfer(host); =20 return IRQ_HANDLED; --=20 2.44.0.396.g6e790dbe36-goog