Skip to content

Commit 62b1f83

Browse files
Fei ShaoSasha Levin
Fei Shao
authored and
Sasha Levin
committed
spi: spi-mt65xx: Fix NULL pointer access in interrupt handler
[ Upstream commit a20ad45 ] The TX buffer in spi_transfer can be a NULL pointer, so the interrupt handler may end up writing to the invalid memory and cause crashes. Add a check to trans->tx_buf before using it. Fixes: 1ce2486 ("spi: mediatek: Only do dma for 4-byte aligned buffers") Signed-off-by: Fei Shao <[email protected]> Reviewed-by: AngeloGioacchino Del Regno <[email protected]> Link: https://msgid.link/r/[email protected] Signed-off-by: Mark Brown <[email protected]> Signed-off-by: Sasha Levin <[email protected]>
1 parent 79846fd commit 62b1f83

File tree

1 file changed

+12
-10
lines changed

1 file changed

+12
-10
lines changed

drivers/spi/spi-mt65xx.c

+12-10
Original file line numberDiff line numberDiff line change
@@ -787,17 +787,19 @@ static irqreturn_t mtk_spi_interrupt(int irq, void *dev_id)
787787
mdata->xfer_len = min(MTK_SPI_MAX_FIFO_SIZE, len);
788788
mtk_spi_setup_packet(master);
789789

790-
cnt = mdata->xfer_len / 4;
791-
iowrite32_rep(mdata->base + SPI_TX_DATA_REG,
792-
trans->tx_buf + mdata->num_xfered, cnt);
790+
if (trans->tx_buf) {
791+
cnt = mdata->xfer_len / 4;
792+
iowrite32_rep(mdata->base + SPI_TX_DATA_REG,
793+
trans->tx_buf + mdata->num_xfered, cnt);
793794

794-
remainder = mdata->xfer_len % 4;
795-
if (remainder > 0) {
796-
reg_val = 0;
797-
memcpy(&reg_val,
798-
trans->tx_buf + (cnt * 4) + mdata->num_xfered,
799-
remainder);
800-
writel(reg_val, mdata->base + SPI_TX_DATA_REG);
795+
remainder = mdata->xfer_len % 4;
796+
if (remainder > 0) {
797+
reg_val = 0;
798+
memcpy(&reg_val,
799+
trans->tx_buf + (cnt * 4) + mdata->num_xfered,
800+
remainder);
801+
writel(reg_val, mdata->base + SPI_TX_DATA_REG);
802+
}
801803
}
802804

803805
mtk_spi_enable_transfer(master);

0 commit comments

Comments
 (0)