[PATCH openEuler-1.0-LTS v2] spi: spi-mt65xx: Fix NULL pointer access in interrupt handler - Kernel

8 May 2024

From: Fei Shao fshao@chromium.org
stable inclusion
from stable-v4.19.313
commit 2342b05ec5342a519e00524a507f7a6ea6791a38
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9L9O8
CVE: CVE-2024-27028
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=l...
--------------------------------
[ Upstream commit a20ad45008a7c82f1184dc6dee280096009ece55 ]
The TX buffer in spi_transfer can be a NULL pointer, so the interrupt
handler may end up writing to the invalid memory and cause crashes.
Add a check to trans->tx_buf before using it.
Fixes: 1ce24864bff4 ("spi: mediatek: Only do dma for 4-byte aligned buffers")
Signed-off-by: Fei Shao fshao@chromium.org
Reviewed-by: AngeloGioacchino Del Regno angelogioacchino.delregno@collabora.com
Link: https://msgid.link/r/20240321070942.1587146-2-fshao@chromium.org
Signed-off-by: Mark Brown broonie@kernel.org
Signed-off-by: Sasha Levin sashal@kernel.org
Signed-off-by: Wenyu Huang huangwenyu5@huawei.com
---
 drivers/spi/spi-mt65xx.c | 24 +++++++++++++-----------
 1 file changed, 13 insertions(+), 11 deletions(-)

diff --git a/drivers/spi/spi-mt65xx.c b/drivers/spi/spi-mt65xx.c
index 0c2867deb36f..1a1c54bf2ae1 100644
--- a/drivers/spi/spi-mt65xx.c
+++ b/drivers/spi/spi-mt65xx.c
@@ -522,17 +522,19 @@ static irqreturn_t mtk_spi_interrupt(int irq, void *dev_id)
    	mdata->xfer_len = min(MTK_SPI_MAX_FIFO_SIZE, len);
    	mtk_spi_setup_packet(master);
-		cnt = mdata->xfer_len / 4;
-		iowrite32_rep(mdata->base + SPI_TX_DATA_REG,
-				trans->tx_buf + mdata->num_xfered, cnt);
-
-		remainder = mdata->xfer_len % 4;
-		if (remainder > 0) {
-			reg_val = 0;
-			memcpy(&reg_val,
-				trans->tx_buf + (cnt * 4) + mdata->num_xfered,
-				remainder);
-			writel(reg_val, mdata->base + SPI_TX_DATA_REG);
+		if (trans->tx_buf) {
+			cnt = mdata->xfer_len / 4;
+			iowrite32_rep(mdata->base + SPI_TX_DATA_REG,
+					trans->tx_buf + mdata->num_xfered, cnt);
+
+			remainder = mdata->xfer_len % 4;
+			if (remainder > 0) {
+				reg_val = 0;
+				memcpy(&reg_val,
+					trans->tx_buf + (cnt * 4) + mdata->num_xfered,
+					remainder);
+				writel(reg_val, mdata->base + SPI_TX_DATA_REG);
+			}
    	}
mtk_spi_enable_transfer(master);
-- 
2.34.1


    