Skip to content

Commit a20ad45

Browse files
Fei Shaobroonie
Fei Shao
authored and
broonie
committed
spi: spi-mt65xx: Fix NULL pointer access in interrupt handler
The TX buffer in spi_transfer can be a NULL pointer, so the interrupt handler may end up writing to the invalid memory and cause crashes. Add a check to trans->tx_buf before using it. Fixes: 1ce2486 ("spi: mediatek: Only do dma for 4-byte aligned buffers") Signed-off-by: Fei Shao <fshao@chromium.org> Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com> Link: https://msgid.link/r/20240321070942.1587146-2-fshao@chromium.org Signed-off-by: Mark Brown <broonie@kernel.org>
1 parent 2ff0573 commit a20ad45

File tree

1 file changed

+12
-10
lines changed

1 file changed

+12
-10
lines changed

drivers/spi/spi-mt65xx.c

Lines changed: 12 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -788,17 +788,19 @@ static irqreturn_t mtk_spi_interrupt(int irq, void *dev_id)
788788
mdata->xfer_len = min(MTK_SPI_MAX_FIFO_SIZE, len);
789789
mtk_spi_setup_packet(host);
790790

791-
cnt = mdata->xfer_len / 4;
792-
iowrite32_rep(mdata->base + SPI_TX_DATA_REG,
793-
trans->tx_buf + mdata->num_xfered, cnt);
791+
if (trans->tx_buf) {
792+
cnt = mdata->xfer_len / 4;
793+
iowrite32_rep(mdata->base + SPI_TX_DATA_REG,
794+
trans->tx_buf + mdata->num_xfered, cnt);
794795

795-
remainder = mdata->xfer_len % 4;
796-
if (remainder > 0) {
797-
reg_val = 0;
798-
memcpy(&reg_val,
799-
trans->tx_buf + (cnt * 4) + mdata->num_xfered,
800-
remainder);
801-
writel(reg_val, mdata->base + SPI_TX_DATA_REG);
796+
remainder = mdata->xfer_len % 4;
797+
if (remainder > 0) {
798+
reg_val = 0;
799+
memcpy(&reg_val,
800+
trans->tx_buf + (cnt * 4) + mdata->num_xfered,
801+
remainder);
802+
writel(reg_val, mdata->base + SPI_TX_DATA_REG);
803+
}
802804
}
803805

804806
mtk_spi_enable_transfer(host);

0 commit comments

Comments
 (0)