spi: Assign dummy scatterlist to unidirectional transfers

andy-shev · broonie · commit 9dedabe95b49 · 2024-05-29T16:47:53.000+01:00
Commit 8cc3bad ("spi: Remove unneded check for orig_nents") introduced a regression: unmapped data could now be passed to the DMA APIs, resulting in null pointer dereferences. Commit 9f788ba ("spi: Don't mark message DMA mapped when no transfer in it is") and commit da56009 ("spi: Check if transfer is mapped before calling DMA sync APIs") addressed the problem, but only partially. Unidirectional transactions will still result in null pointer dereference. To prevent that from happening, assign a dummy scatterlist when no data is mapped, so that the DMA API can be called and not result in a null pointer dereference. Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com> Reported-by: Neil Armstrong <neil.armstrong@linaro.org> Closes: https://lore.kernel.org/r/8ae675b5-fcf9-4c9b-b06a-4462f70e1322@linaro.org Reported-by: Nícolas F. R. A. Prado <nfraprado@collabora.com> Closes: https://lore.kernel.org/all/d3679496-2e4e-4a7c-97ed-f193bd53af1d@notapiano Closes: https://lore.kernel.org/all/4748499f-789c-45a8-b50a-2dd09f4bac8c@notapiano Fixes: 8cc3bad ("spi: Remove unneded check for orig_nents") Tested-by: Nícolas F. R. A. Prado <nfraprado@collabora.com> [nfraprado: wrote the commit message] Signed-off-by: Nícolas F. R. A. Prado <nfraprado@collabora.com> Link: https://msgid.link/r/20240529-dma-oops-dummy-v1-1-bb43aacfb11b@collabora.com Signed-off-by: Mark Brown <broonie@kernel.org>
diff --git a/drivers/spi/spi.c b/drivers/spi/spi.c
@@ -1220,6 +1220,11 @@ void spi_unmap_buf(struct spi_controller *ctlr, struct device *dev,
 	spi_unmap_buf_attrs(ctlr, dev, sgt, dir, 0);
 }
 
+/* Dummy SG for unidirect transfers */
+static struct scatterlist dummy_sg = {
+	.page_link = SG_END,
+};
+
 static int __spi_map_msg(struct spi_controller *ctlr, struct spi_message *msg)
 {
 	struct device *tx_dev, *rx_dev;
@@ -1258,6 +1263,8 @@ static int __spi_map_msg(struct spi_controller *ctlr, struct spi_message *msg)
 						attrs);
 			if (ret != 0)
 				return ret;
+		} else {
+			xfer->tx_sg.sgl = &dummy_sg;
 		}
 
 		if (xfer->rx_buf != NULL) {
@@ -1271,6 +1278,8 @@ static int __spi_map_msg(struct spi_controller *ctlr, struct spi_message *msg)
 
 				return ret;
 			}
+		} else {
+			xfer->rx_sg.sgl = &dummy_sg;
 		}
 	}
 	/* No transfer has been mapped, bail out with success */

Original file line number	Diff line number	Diff line change
`@@ -1220,6 +1220,11 @@ void spi_unmap_buf(struct spi_controller ctlr, struct device dev,`
`1220`	`1220`	`spi_unmap_buf_attrs(ctlr, dev, sgt, dir, 0);`
`1221`	`1221`	`}`
`1222`	`1222`
	`1223`	`+/* Dummy SG for unidirect transfers */`
	`1224`	`+static struct scatterlist dummy_sg = {`
	`1225`	`+ .page_link = SG_END,`
	`1226`	`+};`
	`1227`	`+`
`1223`	`1228`	`static int __spi_map_msg(struct spi_controller ctlr, struct spi_message msg)`
`1224`	`1229`	`{`
`1225`	`1230`	`struct device tx_dev, rx_dev;`
`@@ -1258,6 +1263,8 @@ static int __spi_map_msg(struct spi_controller ctlr, struct spi_message msg)`
`1258`	`1263`	`attrs);`
`1259`	`1264`	`if (ret != 0)`
`1260`	`1265`	`return ret;`
	`1266`	`+ } else {`
	`1267`	`+ xfer->tx_sg.sgl = &dummy_sg;`
`1261`	`1268`	`}`
`1262`	`1269`
`1263`	`1270`	`if (xfer->rx_buf != NULL) {`
`@@ -1271,6 +1278,8 @@ static int __spi_map_msg(struct spi_controller ctlr, struct spi_message msg)`
`1271`	`1278`
`1272`	`1279`	`return ret;`
`1273`	`1280`	`}`
	`1281`	`+ } else {`
	`1282`	`+ xfer->rx_sg.sgl = &dummy_sg;`
`1274`	`1283`	`}`
`1275`	`1284`	`}`
`1276`	`1285`	`/* No transfer has been mapped, bail out with success */`