Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 2342b05e authored by Fei Shao's avatar Fei Shao Committed by Sasha Levin
Browse files

spi: spi-mt65xx: Fix NULL pointer access in interrupt handler 



[ Upstream commit a20ad45008a7c82f1184dc6dee280096009ece55 ]

The TX buffer in spi_transfer can be a NULL pointer, so the interrupt
handler may end up writing to the invalid memory and cause crashes.

Add a check to trans->tx_buf before using it.

Fixes: 1ce24864 ("spi: mediatek: Only do dma for 4-byte aligned buffers")
Signed-off-by: default avatarFei Shao <fshao@chromium.org>
Reviewed-by: default avatarAngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Link: https://msgid.link/r/20240321070942.1587146-2-fshao@chromium.org


Signed-off-by: default avatarMark Brown <broonie@kernel.org>
Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
parent 7bcc090c

drivers/spi/spi-mt65xx.c

+12 −10
Original line number Diff line number Diff line
@@ -524,6 +524,7 @@ static irqreturn_t mtk_spi_interrupt(int irq, void *dev_id) 
		mdata->xfer_len = min(MTK_SPI_MAX_FIFO_SIZE, len);

		mtk_spi_setup_packet(master);



		if (trans->tx_buf) {

			cnt = mdata->xfer_len / 4;

			iowrite32_rep(mdata->base + SPI_TX_DATA_REG,

					trans->tx_buf + mdata->num_xfered, cnt);
@@ -536,6 +537,7 @@ static irqreturn_t mtk_spi_interrupt(int irq, void *dev_id) 
					remainder);

				writel(reg_val, mdata->base + SPI_TX_DATA_REG);

			}

		}



		mtk_spi_enable_transfer(master);