spi: spi-imx: Add check for spi_imx_setupxfer()

Message ID	20250417011700.14436-1-kirinode0@gmail.com (mailing list archive)
State	Accepted
Commit	951a04ab3a2db4029debfa48d380ef834b93207e
Headers	show Received: from mail-pg1-f170.google.com (mail-pg1-f170.google.com [209.85.215.170]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2ED372E628; Thu, 17 Apr 2025 01:17:34 +0000 (UTC) From: Tamura Dai <kirinode0@gmail.com> To: Mark Brown <broonie@kernel.org>, Shawn Guo <shawnguo@kernel.org>, Sascha Hauer <s.hauer@pengutronix.de>, Pengutronix Kernel Team <kernel@pengutronix.de>, Fabio Estevam <festevam@gmail.com> Cc: linux-spi@vger.kernel.org, imx@lists.linux.dev, linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org, Tamura Dai <kirinode0@gmail.com> Subject: [PATCH] spi: spi-imx: Add check for spi_imx_setupxfer() Date: Thu, 17 Apr 2025 10:16:05 +0900 Message-ID: <20250417011700.14436-1-kirinode0@gmail.com> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	spi: spi-imx: Add check for spi_imx_setupxfer() \| expand spi: spi-imx: Add check for spi_imx_setupxfer()

Message ID

20250417011700.14436-1-kirinode0@gmail.com (mailing list archive)

State

Accepted

Commit

951a04ab3a2db4029debfa48d380ef834b93207e

Headers

From: Tamura Dai <kirinode0@gmail.com>
To: Mark Brown <broonie@kernel.org>,
	Shawn Guo <shawnguo@kernel.org>,
	Sascha Hauer <s.hauer@pengutronix.de>,
	Pengutronix Kernel Team <kernel@pengutronix.de>,
	Fabio Estevam <festevam@gmail.com>
Cc: linux-spi@vger.kernel.org,
	imx@lists.linux.dev,
	linux-arm-kernel@lists.infradead.org,
	linux-kernel@vger.kernel.org,
	Tamura Dai <kirinode0@gmail.com>
Subject: [PATCH] spi: spi-imx: Add check for spi_imx_setupxfer()
Date: Thu, 17 Apr 2025 10:16:05 +0900
Message-ID: <20250417011700.14436-1-kirinode0@gmail.com>
Precedence: bulk
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

spi: spi-imx: Add check for spi_imx_setupxfer() | expand

Commit Message

Tamura Dai April 17, 2025, 1:16 a.m. UTC

Add check for the return value of spi_imx_setupxfer().
spi_imx->rx and spi_imx->tx function pointer can be NULL when
spi_imx_setupxfer() return error, and make NULL pointer dereference.

 Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
 Call trace:
  0x0
  spi_imx_pio_transfer+0x50/0xd8
  spi_imx_transfer_one+0x18c/0x858
  spi_transfer_one_message+0x43c/0x790
  __spi_pump_transfer_message+0x238/0x5d4
  __spi_sync+0x2b0/0x454
  spi_write_then_read+0x11c/0x200

Signed-off-by: Tamura Dai <kirinode0@gmail.com>
---
 drivers/spi/spi-imx.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

Comments

Carlos Song April 17, 2025, 1:39 a.m. UTC | #1

Hi, Thank you for fix.

Reviewed-by: Carlos Song <carlos.song@nxp.com>

> -----Original Message-----
> From: Tamura Dai <kirinode0@gmail.com>
> Sent: Thursday, April 17, 2025 9:16 AM
> To: Mark Brown <broonie@kernel.org>; Shawn Guo <shawnguo@kernel.org>;
> Sascha Hauer <s.hauer@pengutronix.de>; Pengutronix Kernel Team
> <kernel@pengutronix.de>; Fabio Estevam <festevam@gmail.com>
> Cc: linux-spi@vger.kernel.org; imx@lists.linux.dev;
> linux-arm-kernel@lists.infradead.org; linux-kernel@vger.kernel.org; Tamura Dai
> <kirinode0@gmail.com>
> Subject: [EXT] [PATCH] spi: spi-imx: Add check for spi_imx_setupxfer()
> 
> [You don't often get email from kirinode0@gmail.com. Learn why this is
> important at https://aka.ms/LearnAboutSenderIdentification ]
> 
> Caution: This is an external email. Please take care when clicking links or
> opening attachments. When in doubt, report the message using the 'Report
> this email' button
> 
> 
> Add check for the return value of spi_imx_setupxfer().
> spi_imx->rx and spi_imx->tx function pointer can be NULL when
> spi_imx_setupxfer() return error, and make NULL pointer dereference.
> 
>  Unable to handle kernel NULL pointer dereference at virtual address
> 0000000000000000  Call trace:
>   0x0
>   spi_imx_pio_transfer+0x50/0xd8
>   spi_imx_transfer_one+0x18c/0x858
>   spi_transfer_one_message+0x43c/0x790
>   __spi_pump_transfer_message+0x238/0x5d4
>   __spi_sync+0x2b0/0x454
>   spi_write_then_read+0x11c/0x200
> 
> Signed-off-by: Tamura Dai <kirinode0@gmail.com>
> ---
>  drivers/spi/spi-imx.c | 5 ++++-
>  1 file changed, 4 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/spi/spi-imx.c b/drivers/spi/spi-imx.c index
> 832d6e9009eb..c93d80a4d734 100644
> --- a/drivers/spi/spi-imx.c
> +++ b/drivers/spi/spi-imx.c
> @@ -1695,9 +1695,12 @@ static int spi_imx_transfer_one(struct
> spi_controller *controller,
>                                 struct spi_device *spi,
>                                 struct spi_transfer *transfer)  {
> +       int ret;
>         struct spi_imx_data *spi_imx =
> spi_controller_get_devdata(spi->controller);
> 
> -       spi_imx_setupxfer(spi, transfer);
> +       ret = spi_imx_setupxfer(spi, transfer);
> +       if (ret < 0)
> +               return ret;
>         transfer->effective_speed_hz = spi_imx->spi_bus_clk;
> 
>         /* flush rxfifo before transfer */
> --
> 2.47.2
>

Mark Brown April 17, 2025, 4:22 p.m. UTC | #2

On Thu, 17 Apr 2025 10:16:05 +0900, Tamura Dai wrote:
> Add check for the return value of spi_imx_setupxfer().
> spi_imx->rx and spi_imx->tx function pointer can be NULL when
> spi_imx_setupxfer() return error, and make NULL pointer dereference.
> 
>  Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
>  Call trace:
>   0x0
>   spi_imx_pio_transfer+0x50/0xd8
>   spi_imx_transfer_one+0x18c/0x858
>   spi_transfer_one_message+0x43c/0x790
>   __spi_pump_transfer_message+0x238/0x5d4
>   __spi_sync+0x2b0/0x454
>   spi_write_then_read+0x11c/0x200
> 
> [...]

Applied to

   https://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi.git for-next

Thanks!

[1/1] spi: spi-imx: Add check for spi_imx_setupxfer()
      commit: 951a04ab3a2db4029debfa48d380ef834b93207e

All being well this means that it will be integrated into the linux-next
tree (usually sometime in the next 24 hours) and sent to Linus during
the next merge window (or sooner if it is a bug fix), however if
problems are discovered then the patch may be dropped or reverted.

You may get further e-mails resulting from automated or manual testing
and review of the tree, please engage with people reporting problems and
send followup patches addressing any issues that are reported if needed.

If any updates are required or you are submitting further changes they
should be sent as incremental updates against current git, existing
patches will not be replaced.

Please add any relevant lists and maintainers to the CCs when replying
to this mail.

Thanks,
Mark

diff --git a/drivers/spi/spi-imx.c b/drivers/spi/spi-imx.c
index 832d6e9009eb..c93d80a4d734 100644
--- a/drivers/spi/spi-imx.c
+++ b/drivers/spi/spi-imx.c
@@ -1695,9 +1695,12 @@  static int spi_imx_transfer_one(struct spi_controller *controller,
 				struct spi_device *spi,
 				struct spi_transfer *transfer)
 {
+	int ret;
 	struct spi_imx_data *spi_imx = spi_controller_get_devdata(spi->controller);
 
-	spi_imx_setupxfer(spi, transfer);
+	ret = spi_imx_setupxfer(spi, transfer);
+	if (ret < 0)
+		return ret;
 	transfer->effective_speed_hz = spi_imx->spi_bus_clk;
 
 	/* flush rxfifo before transfer */

spi: spi-imx: Add check for spi_imx_setupxfer()

Commit Message

Comments

Patch