drivers/spi/spi-dw-dma.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
From: Vladimir Yakovlev <vovchkir@gmail.com>
[ Upstream commit 3b46d61890632c8f8b117147b6923bff4b42ccb7 ]
If an error occurs, the device may not have a current message. In this
case, the system will crash.
In this case, it's better to use dev from the struct ctlr (struct spi_controller*).
Signed-off-by: Vladimir Yakovlev <vovchkir@gmail.com>
Link: https://patch.msgid.link/20260302222017.992228-2-vovchkir@gmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
LLM Generated explanations, may be completely bogus:
The analysis is clear. When `dw_spi_dma_wait` times out, `cur_msg` could
potentially be NULL or in an inconsistent state. Dereferencing
`dws->ctlr->cur_msg->spi->dev` through a chain of 3 pointer dereferences
when `cur_msg` could be NULL causes a NULL pointer dereference crash.
The fix simply uses `dws->ctlr->dev` instead, which is always valid
since it's the controller's own device - guaranteed to exist as long as
the controller exists.
## Analysis
### What the commit fixes
This commit fixes a potential NULL pointer dereference crash in the SPI
DW DMA driver. When a DMA transaction times out in `dw_spi_dma_wait()`,
the error logging path accesses `dws->ctlr->cur_msg->spi->dev`. If
`cur_msg` is NULL (which can happen on error paths, as the SPI core sets
it to NULL in various places), this causes a kernel crash. The fix uses
`dws->ctlr->dev` instead, which is always valid.
### Meets stable kernel rules
1. **Obviously correct**: The fix is a single-line change replacing an
unsafe pointer chain with a safe, always-valid device reference. The
controller device (`ctlr->dev`) is always valid as long as the
controller is registered.
2. **Fixes a real bug**: NULL pointer dereference leading to a kernel
crash.
3. **Important issue**: Kernel crash/oops in a commonly used SPI driver.
4. **Small and contained**: One line change in one file.
5. **No new features**: Pure bug fix.
### Risk assessment
- **Risk**: Extremely low. The fix simply changes which `struct device
*` is used for `dev_err()` logging. The worst case is the error
message shows a slightly different device name in the log.
- **Benefit**: Prevents a kernel crash when a DMA transfer times out.
### Dependency check
The fix uses `ctlr` which was renamed from `host` in commit
`b926b15547d29` (Oct 2025). For older stable trees (pre-6.12 or so), the
field was named `master` or `host`, so the backport would need trivial
adaptation (changing `ctlr` to `host` or `master` depending on the
tree). The buggy code has been present since commit `bdbdf0f06337d`
(v5.8, May 2020), so all supported stable trees would benefit.
### Verification
- `git log -p --follow -S 'cur_msg->spi->dev'` confirmed the buggy
pattern was introduced in commit `bdbdf0f06337d` (v5.8 era, 2020)
- `git tag --contains bdbdf0f06337d` confirmed it's in stable branches
p-5.10, p-5.15, p-6.1
- `git show b926b15547d29` confirmed the `host` -> `ctlr` rename touched
this exact line, creating a dependency for clean backport to newer
stable trees
- Read of `spi.c` confirmed `cur_msg` is set to NULL in multiple places
(lines 1910, 2198, 4480), validating the crash scenario
- The fix only changes the `struct device *` argument to `dev_err()`,
which has zero functional impact beyond logging
**YES**
drivers/spi/spi-dw-dma.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/spi/spi-dw-dma.c b/drivers/spi/spi-dw-dma.c
index 65adec7c7524b..fe726b9b1780d 100644
--- a/drivers/spi/spi-dw-dma.c
+++ b/drivers/spi/spi-dw-dma.c
@@ -271,7 +271,7 @@ static int dw_spi_dma_wait(struct dw_spi *dws, unsigned int len, u32 speed)
msecs_to_jiffies(ms));
if (ms == 0) {
- dev_err(&dws->ctlr->cur_msg->spi->dev,
+ dev_err(&dws->ctlr->dev,
"DMA transaction timed out\n");
return -ETIMEDOUT;
}
--
2.51.0© 2016 - 2026 Red Hat, Inc.