diff mbox series

[2/2] spi: spi-zynq-qspi: Fix stack violation bug

Message ID 20210318102446.25142-3-amit.kumar-mahapatra@xilinx.com (mailing list archive)
State New
Headers show
Series spi: spi-zynq-qspi: Fix stack violation bug | expand

Commit Message

Amit Kumar Mahapatra March 18, 2021, 10:24 a.m. UTC
From: Karen Dombroski <karen.dombroski@marsbioimaging.com>

When the number of bytes for the op is greater than one, the read could
run off the end of the function stack and cause a crash.

This patch restores the behaviour of safely reading out of the original
opcode location.

Kernel panic - not syncing: stack-protector: Kernel stack is corrupted
 in: zynq_qspi_exec_mem_op+0x1c0/0x2e0
CPU1: stopping
CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.9.11-mars-2020.11 #2
Hardware name: Xilinx Zynq Platform
[<c010c15c>] (unwind_backtrace) from [<c0109034>] (show_stack+0x10/0x14)
[<c0109034>] (show_stack) from [<c0591848>] (dump_stack+0xb8/0xd4)
[<c0591848>] (dump_stack) from [<c010aecc>] (handle_IPI+0xe0/0x1a4)
[<c010aecc>] (handle_IPI) from [<c0343890>] (gic_handle_irq+0x84/0x90)
[<c0343890>] (gic_handle_irq) from [<c0100b0c>] (__irq_svc+0x6c/0xa8)
Exception stack(0xef087f58 to 0xef087fa0)
7f40:                                                       00000780 ef7e26f4
7f60: 00000000 c0114380 00000000 00000000 ef086000 c0903eec 00000002 ef087fb8
7f80: c0903f28 00000000 ffffffe8 ef087fa8 c0106824 c0106814 60000013 ffffffff
[<c0100b0c>] (__irq_svc) from [<c0106814>] (arch_cpu_idle+0x1c/0x38)
[<c0106814>] (arch_cpu_idle) from [<c0598d58>] (default_idle_call+0x20/0x28)
[<c0598d58>] (default_idle_call) from [<c013b744>] (do_idle+0x124/0x22c)
[<c013b744>] (do_idle) from [<c013b9bc>] (cpu_startup_entry+0x18/0x1c)
[<c013b9bc>] (cpu_startup_entry) from [<001014ac>] (0x1014ac)

Signed-off-by: Karen Dombroski <karen.dombroski@marsbioimaging.com>
Signed-off-by: Amit Kumar Mahapatra <amit.kumar-mahapatra@xilinx.com>
---
 drivers/spi/spi-zynq-qspi.c | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

--
2.17.1

This email and any attachments are intended for the sole use of the named recipient(s) and contain(s) confidential information that may be proprietary, privileged or copyrighted under applicable law. If you are not the intended recipient, do not read, copy, or forward this email message or any attachments. Delete this email message and any attachments immediately.

Comments

Mark Brown March 18, 2021, 1:23 p.m. UTC | #1
On Thu, Mar 18, 2021 at 04:24:46AM -0600, Amit Kumar Mahapatra wrote:

> When the number of bytes for the op is greater than one, the read could
> run off the end of the function stack and cause a crash.

> This patch restores the behaviour of safely reading out of the original
> opcode location.

> Kernel panic - not syncing: stack-protector: Kernel stack is corrupted
>  in: zynq_qspi_exec_mem_op+0x1c0/0x2e0
> CPU1: stopping

Please think hard before including complete backtraces in upstream
reports, they are very large and contain almost no useful information
relative to their size so often obscure the relevant content in your
message. If part of the backtrace is usefully illustrative (it often is
for search engines if nothing else) then it's usually better to pull out
the relevant sections.
diff mbox series

Patch

diff --git a/drivers/spi/spi-zynq-qspi.c b/drivers/spi/spi-zynq-qspi.c
index 1acde9e24973..5a3d81c31d04 100644
--- a/drivers/spi/spi-zynq-qspi.c
+++ b/drivers/spi/spi-zynq-qspi.c
@@ -528,18 +528,17 @@  static int zynq_qspi_exec_mem_op(struct spi_mem *mem,
        struct zynq_qspi *xqspi = spi_controller_get_devdata(mem->spi->master);
        int err = 0, i;
        u8 *tmpbuf;
-       u8 opcode = op->cmd.opcode;

        dev_dbg(xqspi->dev, "cmd:%#x mode:%d.%d.%d.%d\n",
-               opcode, op->cmd.buswidth, op->addr.buswidth,
+               op->cmd.opcode, op->cmd.buswidth, op->addr.buswidth,
                op->dummy.buswidth, op->data.buswidth);

        zynq_qspi_chipselect(mem->spi, true);
        zynq_qspi_config_op(xqspi, mem->spi);

-       if (op->cmd.nbytes) {
+       if (op->cmd.opcode) {
                reinit_completion(&xqspi->data_completion);
-               xqspi->txbuf = &opcode;
+               xqspi->txbuf = (u8 *)&op->cmd.opcode;
                xqspi->rxbuf = NULL;
                xqspi->tx_bytes = op->cmd.nbytes;
                xqspi->rx_bytes = op->cmd.nbytes;