From patchwork Thu Mar 21 07:08:57 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Fei Shao X-Patchwork-Id: 13598434 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 7AB6EC54E58 for ; Thu, 21 Mar 2024 07:18:06 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-ID:Date:Subject:Cc:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=/Bkm1DFJa016KfeSu8EkvHl6+xxMgMCXqnFVMOQWLZ4=; b=ITdNUPPQ6f8a2R 8Jqekrs75XyyxFHByE8aRjF7o2+MBEU6vuCUjYaPrDztbLSqjj1rdlYryprpXYBDik5+HF7xXAo1f fbHhigOgcGpLd3YoUxYvBLFlvGhJLGnlOHMqiIGnywviiupG0Qca9iGJQOu7+aulA0PCOp9jcjHy/ BsFh3f85WuCaYDWUqfMdwPrrEUt9ecp1a5jSnNtcrqiw08rti1ECwDvCi1z8+4GWWX/X2ZRbT1PCB cgUreIf5ncS5YMeAuehAl7o1204oOCw/H+rAHDiuKWXYy9kGqueS6Obt3NY/NerWO9uXKSl3WAsCR bmhd4iuBOrvG+ZnI7Ybw==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.97.1 #2 (Red Hat Linux)) id 1rnCgQ-000000029ca-29en; Thu, 21 Mar 2024 07:17:50 +0000 Received: from mail-yb1-xb33.google.com ([2607:f8b0:4864:20::b33]) by bombadil.infradead.org with esmtps (Exim 4.97.1 #2 (Red Hat Linux)) id 1rnCgN-000000029ay-1sSp for linux-arm-kernel@lists.infradead.org; Thu, 21 Mar 2024 07:17:49 +0000 Received: by mail-yb1-xb33.google.com with SMTP id 3f1490d57ef6-dcbc6a6808fso562142276.2 for ; Thu, 21 Mar 2024 00:17:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1711005466; x=1711610266; darn=lists.infradead.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=Ci7BHkTK1iOIEG1KH5AhFPZm3PHh1Xr8+22AEHjA27s=; b=jC23/D6Tb6JYW5i8bBN4Riv9BB9JwO4w/h5dNUHJJZ3RkpQkEzmlDRjGTns2t0ZrHm 0SsbTqFJzYCwQrlHMmIYJCGdzVArofLfPBbGg3eIElz+Z5TUW4SDqSudy8hAH1APV2qD fGuD+qIcY1VC38i0IEk2EHme0SAZTIyhnZDuI= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1711005466; x=1711610266; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Ci7BHkTK1iOIEG1KH5AhFPZm3PHh1Xr8+22AEHjA27s=; b=VwOiwqeUoCY+M1pAqDIBKbrVn61d72Ri8iKC5JBCHQb24u2kNZpO7EKgTkflituHyD lkdPbzJNZ+mW93nMlD71KL7BtLEYzALNoVY6veOSiUF3HtCFE3agNz2ZE19KQsKBVpZS PU6tjChrMgOw7tHr8RsimPhUxgsoKGQUwxCcTvwfNYWB5LExGcQ6c181XJK0qXjCJ2Xg C7zdbT1B68tKrJxi6sY/dCOM/3614eP6kNchgxc7x/hWa8xQsUZ2G3Crl3MIL25nScX/ xg83NEDxNLzvTQpgRqikjwG4KI+Wka/dEfBbMMzldTA2eC0aBMAS8KOwF1cCpApssvA9 dJ3g== X-Forwarded-Encrypted: i=1; AJvYcCVC2pzZB+qlooCcehFVQAyVj88tTEIy1vfdlxhSJn/X614UoCGnmG1sZbJY2MqjZ/UOIGMhFIEHJvtIVVgpKsvfRmKIfSDa4A1fuvcSy5uCp3xbLLI= X-Gm-Message-State: AOJu0YzwguRIwFhJU+EFUSc174wNoTTKM7ggqbXhN7rzjq4lxfiyZxOc vRiBElSt6t+i1bSUPAs7nDYKXktnuVZjVjqjfN21/EI7zYtTWPJ2P2qLUFE3NRGlcgAaq25sgHI iLQ== X-Google-Smtp-Source: AGHT+IEjYPnHZWGzrzuctWTDZl3/WbtAl14yb32XRq028RUvicCO/g54v3a+VeurCXvyrMfQTJ0ZCw== X-Received: by 2002:a05:6a20:6716:b0:1a3:6378:1e8f with SMTP id q22-20020a056a20671600b001a363781e8fmr7149948pzh.32.1711004990595; Thu, 21 Mar 2024 00:09:50 -0700 (PDT) Received: from fshao-p620.tpe.corp.google.com ([2401:fa00:1:10:c1ff:a4cf:ac35:8df6]) by smtp.gmail.com with ESMTPSA id o1-20020a170902d4c100b001dbcfb4766csm8705582plg.226.2024.03.21.00.09.48 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 21 Mar 2024 00:09:50 -0700 (PDT) From: Fei Shao To: Mark Brown , AngeloGioacchino Del Regno Cc: Fei Shao , Daniel Kurtz , Matthias Brugger , linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org, linux-mediatek@lists.infradead.org, linux-spi@vger.kernel.org Subject: [PATCH v2 1/2] spi: spi-mt65xx: Fix NULL pointer access in interrupt handler Date: Thu, 21 Mar 2024 15:08:57 +0800 Message-ID: <20240321070942.1587146-2-fshao@chromium.org> X-Mailer: git-send-email 2.44.0.396.g6e790dbe36-goog In-Reply-To: <20240321070942.1587146-1-fshao@chromium.org> References: <20240321070942.1587146-1-fshao@chromium.org> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20240321_001747_543881_EB717822 X-CRM114-Status: GOOD ( 14.94 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org The TX buffer in spi_transfer can be a NULL pointer, so the interrupt handler may end up writing to the invalid memory and cause crashes. Add a check to trans->tx_buf before using it. Fixes: 1ce24864bff4 ("spi: mediatek: Only do dma for 4-byte aligned buffers") Signed-off-by: Fei Shao Reviewed-by: AngeloGioacchino Del Regno --- Changes in v2: - Restore a missing curly brace being dropped during rebase - Fix a typo in commit message (trans, not xfer) drivers/spi/spi-mt65xx.c | 22 ++++++++++++---------- 1 file changed, 12 insertions(+), 10 deletions(-) diff --git a/drivers/spi/spi-mt65xx.c b/drivers/spi/spi-mt65xx.c index 8d4633b353ee..e4cb22fe0075 100644 --- a/drivers/spi/spi-mt65xx.c +++ b/drivers/spi/spi-mt65xx.c @@ -788,17 +788,19 @@ static irqreturn_t mtk_spi_interrupt(int irq, void *dev_id) mdata->xfer_len = min(MTK_SPI_MAX_FIFO_SIZE, len); mtk_spi_setup_packet(host); - cnt = mdata->xfer_len / 4; - iowrite32_rep(mdata->base + SPI_TX_DATA_REG, - trans->tx_buf + mdata->num_xfered, cnt); + if (trans->tx_buf) { + cnt = mdata->xfer_len / 4; + iowrite32_rep(mdata->base + SPI_TX_DATA_REG, + trans->tx_buf + mdata->num_xfered, cnt); - remainder = mdata->xfer_len % 4; - if (remainder > 0) { - reg_val = 0; - memcpy(®_val, - trans->tx_buf + (cnt * 4) + mdata->num_xfered, - remainder); - writel(reg_val, mdata->base + SPI_TX_DATA_REG); + remainder = mdata->xfer_len % 4; + if (remainder > 0) { + reg_val = 0; + memcpy(®_val, + trans->tx_buf + (cnt * 4) + mdata->num_xfered, + remainder); + writel(reg_val, mdata->base + SPI_TX_DATA_REG); + } } mtk_spi_enable_transfer(host); From patchwork Thu Mar 21 07:08:58 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Fei Shao X-Patchwork-Id: 13598433 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id B7F30C54E68 for ; Thu, 21 Mar 2024 07:16:49 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-ID:Date:Subject:Cc:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=ye8tx/NxIqMCjef+Y+Mmv47ga37MSgGGIAjrrlPLTPM=; b=T99ji4smUKTbDx r+5aCmaYnkjeFid9FiY7bQ2s85ecLjEcKZROXmZCyYe67MnIsJyuAEJxlwoPTjishmciIbsstomN3 Q6LN5V2UdhsGLSC4CDpu6Pyo99kZJYkpL0gi1NkYRzSnUuG9hZYwraEXvtZhfhrK7H0CJVApJov7d ksvQKPVSHGJxcm1UYwEHbwKmYzf/JpP2tXZBUYO92DktjoI9tK+7MohGE40uj+cGpVk8XqIJlytlj jAICM4sSFyJKgP68ClTkhyb/ktSRIX9b9xlva7szPl5grI4u5QmUHz6oy4/GymoD+zmrHS0hU5bSA Z9SIQAyinDF6p9CqnUCw==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.97.1 #2 (Red Hat Linux)) id 1rnCfF-000000029It-0vhg; Thu, 21 Mar 2024 07:16:37 +0000 Received: from mail-qk1-x72f.google.com ([2607:f8b0:4864:20::72f]) by bombadil.infradead.org with esmtps (Exim 4.97.1 #2 (Red Hat Linux)) id 1rnCfB-000000029H7-4445 for linux-arm-kernel@lists.infradead.org; Thu, 21 Mar 2024 07:16:35 +0000 Received: by mail-qk1-x72f.google.com with SMTP id af79cd13be357-789f00aba19so50944885a.0 for ; Thu, 21 Mar 2024 00:16:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1711005391; x=1711610191; darn=lists.infradead.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=bSVRkP1CEN/2Cgd43eVZqXzzvCIz80rEAhuUK1PkoaA=; b=dX7oVwgDZ2++HbELDlxDZPlDfZivPzSzEEw0i6eAhBi6KfOvIN2RdDPyu9p4LosE/0 JJorLtLZHV8VRxRb9hgcVAYVQDZpdASxJ5nLWhm8ccSGsn94JRMj353yjCodmEvGtL75 VUf5/6N+IsukJuGW83WjHfESJlZPMDiA/2yKI= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1711005391; x=1711610191; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=bSVRkP1CEN/2Cgd43eVZqXzzvCIz80rEAhuUK1PkoaA=; b=BCdik5NwOFOG2w7HeRdAGzAXFDnUeQvhuQXLBKDwDABHVFJiNWd0R7/LioMsTv/pF4 zowRQpW+CKoDt+GRDeTzlZhIZIsDISKVPspoUshltb0UCtIFMNWJE/i9gEh3IalPEEu6 oxJItXPdSaHQxHThJceY3khQSKNK0bDGkRyaClh7DzRVGC8RykMXWkbcbAeZU7EJnaLR aB7zK9Wo7SceFsfnH0RBPRXpkjvsBsk6whnptlflqqDYXcqj+E/UchZbJx2zygQQiU/c nsu+FUa2A6/F/yPnp+zYU1PjcGqsFNkAMVf+ZGgH8JYGvyT2GEXHtnGZXggRsOZt1mzi F9vw== X-Forwarded-Encrypted: i=1; AJvYcCXYB75w1f2TwrW2ZSHKr5gzBIX0CPQk1+Va420v7tYz/mQjB2hHqEptNi6RKy6nPqE9+Z6748WO9Fl5pbNC26OW0z0LhFxYUmNv7k9ctwJAuKl22Yo= X-Gm-Message-State: AOJu0Yw4z/l/ItyWbl/jJU54uXdWNR5Z1yiwp6+qXzN3+kiM8uwHw+GM K1aMM97iO0kVAdF+YlA6ADwr9bn93g7fkn3m3s8iNGGRYpx/fM+2SjhdxdrCfVekw5ExLNqeMK/ /Ag== X-Google-Smtp-Source: AGHT+IE7zDY2bPbXvYy4oPA05ILy81XLNYUL1pNTca/VSSwS1G6IzocntbS/L6V+8RGTtIae+u5dmw== X-Received: by 2002:a05:6a21:3396:b0:1a1:87b5:298b with SMTP id yy22-20020a056a21339600b001a187b5298bmr1341758pzb.21.1711004993178; Thu, 21 Mar 2024 00:09:53 -0700 (PDT) Received: from fshao-p620.tpe.corp.google.com ([2401:fa00:1:10:c1ff:a4cf:ac35:8df6]) by smtp.gmail.com with ESMTPSA id o1-20020a170902d4c100b001dbcfb4766csm8705582plg.226.2024.03.21.00.09.51 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 21 Mar 2024 00:09:52 -0700 (PDT) From: Fei Shao To: Mark Brown , AngeloGioacchino Del Regno Cc: Fei Shao , Matthias Brugger , linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org, linux-mediatek@lists.infradead.org, linux-spi@vger.kernel.org Subject: [PATCH v2 2/2] spi: spi-mt65xx: Rename a variable in interrupt handler Date: Thu, 21 Mar 2024 15:08:58 +0800 Message-ID: <20240321070942.1587146-3-fshao@chromium.org> X-Mailer: git-send-email 2.44.0.396.g6e790dbe36-goog In-Reply-To: <20240321070942.1587146-1-fshao@chromium.org> References: <20240321070942.1587146-1-fshao@chromium.org> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20240321_001634_013645_E94854AA X-CRM114-Status: GOOD ( 15.42 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org All the spi_transfer variables in this file use the name "xfer" except the one in mtk_spi_interrupt(). Align the naming for consistency and easier searching. While at it, reformat one memcpy() usage since the coding style allows 100 column lines today. This commit has no functional change. Signed-off-by: Fei Shao Reviewed-by: AngeloGioacchino Del Regno --- (no changes since v1) drivers/spi/spi-mt65xx.c | 32 +++++++++++++++----------------- 1 file changed, 15 insertions(+), 17 deletions(-) diff --git a/drivers/spi/spi-mt65xx.c b/drivers/spi/spi-mt65xx.c index e4cb22fe0075..36c2f52cd6b8 100644 --- a/drivers/spi/spi-mt65xx.c +++ b/drivers/spi/spi-mt65xx.c @@ -748,7 +748,7 @@ static irqreturn_t mtk_spi_interrupt(int irq, void *dev_id) u32 cmd, reg_val, cnt, remainder, len; struct spi_controller *host = dev_id; struct mtk_spi *mdata = spi_controller_get_devdata(host); - struct spi_transfer *trans = mdata->cur_transfer; + struct spi_transfer *xfer = mdata->cur_transfer; reg_val = readl(mdata->base + SPI_STATUS0_REG); if (reg_val & MTK_SPI_PAUSE_INT_STATUS) @@ -762,42 +762,40 @@ static irqreturn_t mtk_spi_interrupt(int irq, void *dev_id) return IRQ_HANDLED; } - if (!host->can_dma(host, NULL, trans)) { - if (trans->rx_buf) { + if (!host->can_dma(host, NULL, xfer)) { + if (xfer->rx_buf) { cnt = mdata->xfer_len / 4; ioread32_rep(mdata->base + SPI_RX_DATA_REG, - trans->rx_buf + mdata->num_xfered, cnt); + xfer->rx_buf + mdata->num_xfered, cnt); remainder = mdata->xfer_len % 4; if (remainder > 0) { reg_val = readl(mdata->base + SPI_RX_DATA_REG); - memcpy(trans->rx_buf + - mdata->num_xfered + - (cnt * 4), + memcpy(xfer->rx_buf + (cnt * 4) + mdata->num_xfered, ®_val, remainder); } } mdata->num_xfered += mdata->xfer_len; - if (mdata->num_xfered == trans->len) { + if (mdata->num_xfered == xfer->len) { spi_finalize_current_transfer(host); return IRQ_HANDLED; } - len = trans->len - mdata->num_xfered; + len = xfer->len - mdata->num_xfered; mdata->xfer_len = min(MTK_SPI_MAX_FIFO_SIZE, len); mtk_spi_setup_packet(host); - if (trans->tx_buf) { + if (xfer->tx_buf) { cnt = mdata->xfer_len / 4; iowrite32_rep(mdata->base + SPI_TX_DATA_REG, - trans->tx_buf + mdata->num_xfered, cnt); + xfer->tx_buf + mdata->num_xfered, cnt); remainder = mdata->xfer_len % 4; if (remainder > 0) { reg_val = 0; memcpy(®_val, - trans->tx_buf + (cnt * 4) + mdata->num_xfered, + xfer->tx_buf + (cnt * 4) + mdata->num_xfered, remainder); writel(reg_val, mdata->base + SPI_TX_DATA_REG); } @@ -809,21 +807,21 @@ static irqreturn_t mtk_spi_interrupt(int irq, void *dev_id) } if (mdata->tx_sgl) - trans->tx_dma += mdata->xfer_len; + xfer->tx_dma += mdata->xfer_len; if (mdata->rx_sgl) - trans->rx_dma += mdata->xfer_len; + xfer->rx_dma += mdata->xfer_len; if (mdata->tx_sgl && (mdata->tx_sgl_len == 0)) { mdata->tx_sgl = sg_next(mdata->tx_sgl); if (mdata->tx_sgl) { - trans->tx_dma = sg_dma_address(mdata->tx_sgl); + xfer->tx_dma = sg_dma_address(mdata->tx_sgl); mdata->tx_sgl_len = sg_dma_len(mdata->tx_sgl); } } if (mdata->rx_sgl && (mdata->rx_sgl_len == 0)) { mdata->rx_sgl = sg_next(mdata->rx_sgl); if (mdata->rx_sgl) { - trans->rx_dma = sg_dma_address(mdata->rx_sgl); + xfer->rx_dma = sg_dma_address(mdata->rx_sgl); mdata->rx_sgl_len = sg_dma_len(mdata->rx_sgl); } } @@ -841,7 +839,7 @@ static irqreturn_t mtk_spi_interrupt(int irq, void *dev_id) mtk_spi_update_mdata_len(host); mtk_spi_setup_packet(host); - mtk_spi_setup_dma_addr(host, trans); + mtk_spi_setup_dma_addr(host, xfer); mtk_spi_enable_transfer(host); return IRQ_HANDLED;