From patchwork Thu Mar 21 06:41:01 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Fei Shao X-Patchwork-Id: 13598424 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 884B2C54E58 for ; Thu, 21 Mar 2024 06:51:19 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-ID:Date:Subject:Cc:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=TzSi33XuEMtmKxLxAoyjFU+S6LzRI+ZSg3IsRH8rXxc=; b=E5hlaOy31X6q/G f5rivVTQ73cQ5gjFvMfhF6USWPV5RH0lWyhIDTaN8KD1GZr9HCWy0HOhWMrrBcMZo/1LKV86CKfck rf0/xHLmET1RmdEBDeow64BjDcsX+RMsAJp4rhcHvIL3zH7JHNixbO12QQ4gFAU7Ctsupzb7afb+I OORJH483++g3OdhrYXVkG5rT8K+IIosxGxYkpO2O7/9Duf7jvWAaOxidXM0eL4C73B0/Gtfja1rCF M5PMM4nJCExlE97eZsmH5tHDKCdSsSWMYLRGqowT6gnqbrpTXEONTGEnjnUesFTzrXDdtJw1XVkox N5jlTrZ4e57PejbNp7Dw==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.97.1 #2 (Red Hat Linux)) id 1rnCGZ-000000025P7-163L; Thu, 21 Mar 2024 06:51:07 +0000 Received: from mail-pf1-x42c.google.com ([2607:f8b0:4864:20::42c]) by bombadil.infradead.org with esmtps (Exim 4.97.1 #2 (Red Hat Linux)) id 1rnCGW-000000025O6-2LZM for linux-arm-kernel@lists.infradead.org; Thu, 21 Mar 2024 06:51:06 +0000 Received: by mail-pf1-x42c.google.com with SMTP id d2e1a72fcca58-6e88e4c8500so530502b3a.2 for ; Wed, 20 Mar 2024 23:51:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1711003863; x=1711608663; darn=lists.infradead.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=ZBiGSHa0oimyE1MM5zUN6LTK3eAVLs8v7Z76nGxN0a8=; b=RrVPR/NuFK32gR0WCBe1R4a0BNOciVvbQK8mkyksfgQQjQeeSxrA7zDq3eV+lPo443 AJ4bOVuDucRUCExs3hi9A6WGjSvP1XhnKHHuLeU5Cfmq84bXYmwbfoozBb1+DDX2ulw8 IXtDsvLJMEYJSBYKcoxa9sgPbqsOhdwPTCF9k= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1711003863; x=1711608663; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=ZBiGSHa0oimyE1MM5zUN6LTK3eAVLs8v7Z76nGxN0a8=; b=hc3r2dcUYHuLd7ajNsUMO5DSYdkNaK++0RioJXNtETI6woNB8aww99eGSQz579QkoW +RJLa/HM62cemlF8jXRn9VzSEmkpaMobznkj6otkgohlBYyTa6uUYmwxJePjj7mm3tqU JWB+pDIUtTESwNMVOQKyODtO41bQAQtSQn+t1UuFC7GyCXw4/7AIBhst2HZEanWrH4Ac h24QlqbdUxoKsFYQ9PKY2dya91clOd1UbVmuF4Wq+yWDRgxRfVTQg7iKARC6DLJUAR4/ W3//7kCE1WjMgZ3sliT8an23AN8wz9vI7iIJD4bXAKHnLtOVFhBQeM2qqWuW0vd9/2xj YpVg== X-Forwarded-Encrypted: i=1; AJvYcCW2Bn1mr+q8D3y/34RHx0vDSHnPAaXbDEznPuoZbQ97/IXp8oEEgmLQiUKrR7H7V/aO6rP2h8w/Oe969cdczCJojEmjh5iMc6anNQS60SgJJ6fDFsM= X-Gm-Message-State: AOJu0Yy0vEWd/Ez7SLYmYTKCHuVkol8A5e6CYU4wh0dChC/pImNFl37A yrG/qF4jJLM+3W6zyguM/2eX1glJTL+Ze75O0N+FQjyRpwiOreUfC/l9b2PB1pBDyb2okWUYijA = X-Google-Smtp-Source: AGHT+IEEEIHKCYtjOYJVfRhVwN68KX9lfipwtZ2TMyYDdaLt1ht07nRcowYnTodrhLwxJsrplM2RyQ== X-Received: by 2002:a05:6a21:a586:b0:1a3:6a4c:80a9 with SMTP id gd6-20020a056a21a58600b001a36a4c80a9mr11624698pzc.1.1711003409539; Wed, 20 Mar 2024 23:43:29 -0700 (PDT) Received: from fshao-p620.tpe.corp.google.com ([2401:fa00:1:10:c1ff:a4cf:ac35:8df6]) by smtp.gmail.com with ESMTPSA id lb3-20020a056a004f0300b006e664031f10sm12874938pfb.51.2024.03.20.23.43.27 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 20 Mar 2024 23:43:29 -0700 (PDT) From: Fei Shao To: Mark Brown , AngeloGioacchino Del Regno Cc: Fei Shao , Daniel Kurtz , Matthias Brugger , linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org, linux-mediatek@lists.infradead.org, linux-spi@vger.kernel.org Subject: [PATCH 1/2] spi: spi-mt65xx: Fix NULL pointer access in interrupt handler Date: Thu, 21 Mar 2024 14:41:01 +0800 Message-ID: <20240321064313.1385316-2-fshao@chromium.org> X-Mailer: git-send-email 2.44.0.396.g6e790dbe36-goog In-Reply-To: <20240321064313.1385316-1-fshao@chromium.org> References: <20240321064313.1385316-1-fshao@chromium.org> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20240320_235104_972888_BDB4CD98 X-CRM114-Status: GOOD ( 13.96 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org The TX buffer in spi_transfer can be a NULL pointer, so the interrupt handler may end up writing to the invalid memory and cause crashes. Add a check to xfer->tx_buf before using it. Fixes: 1ce24864bff4 ("spi: mediatek: Only do dma for 4-byte aligned buffers") Signed-off-by: Fei Shao --- drivers/spi/spi-mt65xx.c | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/drivers/spi/spi-mt65xx.c b/drivers/spi/spi-mt65xx.c index 8d4633b353ee..86ea822c942b 100644 --- a/drivers/spi/spi-mt65xx.c +++ b/drivers/spi/spi-mt65xx.c @@ -788,17 +788,18 @@ static irqreturn_t mtk_spi_interrupt(int irq, void *dev_id) mdata->xfer_len = min(MTK_SPI_MAX_FIFO_SIZE, len); mtk_spi_setup_packet(host); - cnt = mdata->xfer_len / 4; - iowrite32_rep(mdata->base + SPI_TX_DATA_REG, - trans->tx_buf + mdata->num_xfered, cnt); + if (trans->tx_buf) { + cnt = mdata->xfer_len / 4; + iowrite32_rep(mdata->base + SPI_TX_DATA_REG, + trans->tx_buf + mdata->num_xfered, cnt); - remainder = mdata->xfer_len % 4; - if (remainder > 0) { - reg_val = 0; - memcpy(®_val, - trans->tx_buf + (cnt * 4) + mdata->num_xfered, - remainder); - writel(reg_val, mdata->base + SPI_TX_DATA_REG); + remainder = mdata->xfer_len % 4; + if (remainder > 0) { + reg_val = 0; + memcpy(®_val, + trans->tx_buf + (cnt * 4) + mdata->num_xfered, + remainder); + writel(reg_val, mdata->base + SPI_TX_DATA_REG); } mtk_spi_enable_transfer(host); From patchwork Thu Mar 21 06:41:02 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Fei Shao X-Patchwork-Id: 13598419 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 92E26C54E68 for ; Thu, 21 Mar 2024 06:43:46 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-ID:Date:Subject:Cc:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=ZB3BG/TIZ7XwvB9V95gL2UBg2FLjBQDibmrd6uP+M6w=; b=X81h/UrVQMFX28 kKp2JskLP4rpeHn8QUlrOmzsLLRZlnIRLGANIIF/cg+mcg4OybZcXxV1wg41jtFTaBCpPOr49PSC/ r5yRYVk6NKcaFk5gczAn6V6eZZ/TGuAEVZBDEUeC6dvbDTwbVKx2MkQ+Un14Gf2SEilESugfySZhS JzWMGk7RofKN5mORKxwHh4NRKAA7rhzMYtBhPoGAJ6FHwZ0BKoit1wxFt1wb9XxJ4/fS06oUvgzH3 NgLvNCJ/QuRj43gs4tW6P8EOXDgKvDOj5T9Db5w9vqSXH/pjMHfcOnS0YGslewGWniR1b+/SfKWNd BCDyPJp+dS8hdy+SDW1Q==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.97.1 #2 (Red Hat Linux)) id 1rnC9I-000000024MH-3hA6; Thu, 21 Mar 2024 06:43:36 +0000 Received: from mail-pf1-x42e.google.com ([2607:f8b0:4864:20::42e]) by bombadil.infradead.org with esmtps (Exim 4.97.1 #2 (Red Hat Linux)) id 1rnC9G-000000024Kv-0fyZ for linux-arm-kernel@lists.infradead.org; Thu, 21 Mar 2024 06:43:35 +0000 Received: by mail-pf1-x42e.google.com with SMTP id d2e1a72fcca58-6e8f76f18d3so558178b3a.0 for ; Wed, 20 Mar 2024 23:43:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1711003412; x=1711608212; darn=lists.infradead.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=MZAfwv86coCz5ya7gMWl0Ox3qdQ9eNNNMvWYUUmsfUA=; b=Mebimv6NKbjUu3x6R2FX1mZj4bQVRyfp8/uPs7eRMgo07W049pngv8iZXzR85YAXIB iM+KSLsbkNdYxvh0vuVIWn0S4S6nxlEY7AaWIKBSz4DBkRaL+S07BsAH5du3pPlcopCR RDSuHgREBRRiS5+QxneNJ+sfMt5zDY1YePYnU= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1711003412; x=1711608212; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=MZAfwv86coCz5ya7gMWl0Ox3qdQ9eNNNMvWYUUmsfUA=; b=fUyeggaU0fZji5kZWv5S2/eRtOo7r9a+eTQtlAyLWAw+d2UZCwPvcpFSubga2qi5Er ampWCQL9eQDVLp4ymEo7b+8NU+j4+Lh9dsTTG/su9CN5gcKG6brbkNEUONHcakeUHWcL aP4WPGNv0BF0JI9Ks7x7QOU/5i9N+4jLNC4zCZbf7Am+1e7WL8F4OKbB4TW3lrGIMBX2 Za04NfqcoKmwZCZV25CaSNY2ersPP4FortyFuhcUadgNjXYbWvtTG5P5/5cPn5GjXiDO k+uiQgM8DbHER2Y5vbsgMzh2woU7rxbVJukZisTG426iSxk9UIsLl8WvIEs1CHQOm/BZ m7VQ== X-Forwarded-Encrypted: i=1; AJvYcCVPb+YikD1JymWglg3okYwSKLjWicIA7UJP3dQAODj4eimlMSveZqV4NWElIOWM36sVLxylXtnEaljk6hPkW55P4MbjDn7Jkb10Sw1HTFO6A+JMrjQ= X-Gm-Message-State: AOJu0YxpbWbp8wPHvcu2YdMIClTs3mPLdJB4YiOKxOsd56Ey0bhoJtHX 0D48zsCb8r6WomWvw9CqF504RkcPZwtEOdw+Ez//QnZE24IJ22fIN+Qq4IIIpA== X-Google-Smtp-Source: AGHT+IHJ7XBfPwZHrNtWiP2YqVZanIquFTWV/V+ARNJsur65k8HYfqQbCwDBftzvaRVLDOior2pzIg== X-Received: by 2002:a05:6a00:2d1e:b0:6e6:c73b:bec2 with SMTP id fa30-20020a056a002d1e00b006e6c73bbec2mr2482638pfb.14.1711003411802; Wed, 20 Mar 2024 23:43:31 -0700 (PDT) Received: from fshao-p620.tpe.corp.google.com ([2401:fa00:1:10:c1ff:a4cf:ac35:8df6]) by smtp.gmail.com with ESMTPSA id lb3-20020a056a004f0300b006e664031f10sm12874938pfb.51.2024.03.20.23.43.29 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 20 Mar 2024 23:43:31 -0700 (PDT) From: Fei Shao To: Mark Brown , AngeloGioacchino Del Regno Cc: Fei Shao , Matthias Brugger , linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org, linux-mediatek@lists.infradead.org, linux-spi@vger.kernel.org Subject: [PATCH 2/2] spi: spi-mt65xx: Rename a variable in interrupt handler Date: Thu, 21 Mar 2024 14:41:02 +0800 Message-ID: <20240321064313.1385316-3-fshao@chromium.org> X-Mailer: git-send-email 2.44.0.396.g6e790dbe36-goog In-Reply-To: <20240321064313.1385316-1-fshao@chromium.org> References: <20240321064313.1385316-1-fshao@chromium.org> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20240320_234334_331152_100BDEF5 X-CRM114-Status: GOOD ( 15.48 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org All the spi_transfer variables in this file use the name "xfer" except the one in mtk_spi_interrupt(). Align the naming for consistency and easier searching. While at it, reformat one memcpy() usage since the coding style allows 100 column lines today. This commit has no functional change. Signed-off-by: Fei Shao --- drivers/spi/spi-mt65xx.c | 32 +++++++++++++++----------------- 1 file changed, 15 insertions(+), 17 deletions(-) diff --git a/drivers/spi/spi-mt65xx.c b/drivers/spi/spi-mt65xx.c index 86ea822c942b..aaa0006a02a3 100644 --- a/drivers/spi/spi-mt65xx.c +++ b/drivers/spi/spi-mt65xx.c @@ -748,7 +748,7 @@ static irqreturn_t mtk_spi_interrupt(int irq, void *dev_id) u32 cmd, reg_val, cnt, remainder, len; struct spi_controller *host = dev_id; struct mtk_spi *mdata = spi_controller_get_devdata(host); - struct spi_transfer *trans = mdata->cur_transfer; + struct spi_transfer *xfer = mdata->cur_transfer; reg_val = readl(mdata->base + SPI_STATUS0_REG); if (reg_val & MTK_SPI_PAUSE_INT_STATUS) @@ -762,42 +762,40 @@ static irqreturn_t mtk_spi_interrupt(int irq, void *dev_id) return IRQ_HANDLED; } - if (!host->can_dma(host, NULL, trans)) { - if (trans->rx_buf) { + if (!host->can_dma(host, NULL, xfer)) { + if (xfer->rx_buf) { cnt = mdata->xfer_len / 4; ioread32_rep(mdata->base + SPI_RX_DATA_REG, - trans->rx_buf + mdata->num_xfered, cnt); + xfer->rx_buf + mdata->num_xfered, cnt); remainder = mdata->xfer_len % 4; if (remainder > 0) { reg_val = readl(mdata->base + SPI_RX_DATA_REG); - memcpy(trans->rx_buf + - mdata->num_xfered + - (cnt * 4), + memcpy(xfer->rx_buf + (cnt * 4) + mdata->num_xfered, ®_val, remainder); } } mdata->num_xfered += mdata->xfer_len; - if (mdata->num_xfered == trans->len) { + if (mdata->num_xfered == xfer->len) { spi_finalize_current_transfer(host); return IRQ_HANDLED; } - len = trans->len - mdata->num_xfered; + len = xfer->len - mdata->num_xfered; mdata->xfer_len = min(MTK_SPI_MAX_FIFO_SIZE, len); mtk_spi_setup_packet(host); - if (trans->tx_buf) { + if (xfer->tx_buf) { cnt = mdata->xfer_len / 4; iowrite32_rep(mdata->base + SPI_TX_DATA_REG, - trans->tx_buf + mdata->num_xfered, cnt); + xfer->tx_buf + mdata->num_xfered, cnt); remainder = mdata->xfer_len % 4; if (remainder > 0) { reg_val = 0; memcpy(®_val, - trans->tx_buf + (cnt * 4) + mdata->num_xfered, + xfer->tx_buf + (cnt * 4) + mdata->num_xfered, remainder); writel(reg_val, mdata->base + SPI_TX_DATA_REG); } @@ -808,21 +806,21 @@ static irqreturn_t mtk_spi_interrupt(int irq, void *dev_id) } if (mdata->tx_sgl) - trans->tx_dma += mdata->xfer_len; + xfer->tx_dma += mdata->xfer_len; if (mdata->rx_sgl) - trans->rx_dma += mdata->xfer_len; + xfer->rx_dma += mdata->xfer_len; if (mdata->tx_sgl && (mdata->tx_sgl_len == 0)) { mdata->tx_sgl = sg_next(mdata->tx_sgl); if (mdata->tx_sgl) { - trans->tx_dma = sg_dma_address(mdata->tx_sgl); + xfer->tx_dma = sg_dma_address(mdata->tx_sgl); mdata->tx_sgl_len = sg_dma_len(mdata->tx_sgl); } } if (mdata->rx_sgl && (mdata->rx_sgl_len == 0)) { mdata->rx_sgl = sg_next(mdata->rx_sgl); if (mdata->rx_sgl) { - trans->rx_dma = sg_dma_address(mdata->rx_sgl); + xfer->rx_dma = sg_dma_address(mdata->rx_sgl); mdata->rx_sgl_len = sg_dma_len(mdata->rx_sgl); } } @@ -840,7 +838,7 @@ static irqreturn_t mtk_spi_interrupt(int irq, void *dev_id) mtk_spi_update_mdata_len(host); mtk_spi_setup_packet(host); - mtk_spi_setup_dma_addr(host, trans); + mtk_spi_setup_dma_addr(host, xfer); mtk_spi_enable_transfer(host); return IRQ_HANDLED;