From e4344a9e38a66a750e6173c1ddb560d088532b41 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sun, 24 Jul 2022 16:49:40 +0200 Subject: [PATCH] 5.10-stable patches added patches: spi-bcm2835-bcm2835_spi_handle_err-fix-null-pointer-deref-for-non-dma-transfers.patch --- queue-5.10/series | 1 + ...-pointer-deref-for-non-dma-transfers.patch | 49 +++++++++++++++++++ 2 files changed, 50 insertions(+) create mode 100644 queue-5.10/spi-bcm2835-bcm2835_spi_handle_err-fix-null-pointer-deref-for-non-dma-transfers.patch diff --git a/queue-5.10/series b/queue-5.10/series index d26697f21b3..cb4b4b1e4b1 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -74,3 +74,4 @@ tcp-fix-a-data-race-around-sysctl_tcp_retrans_collap.patch tcp-fix-a-data-race-around-sysctl_tcp_stdurg.patch tcp-fix-a-data-race-around-sysctl_tcp_rfc1337.patch tcp-fix-data-races-around-sysctl_tcp_max_reordering.patch +spi-bcm2835-bcm2835_spi_handle_err-fix-null-pointer-deref-for-non-dma-transfers.patch diff --git a/queue-5.10/spi-bcm2835-bcm2835_spi_handle_err-fix-null-pointer-deref-for-non-dma-transfers.patch b/queue-5.10/spi-bcm2835-bcm2835_spi_handle_err-fix-null-pointer-deref-for-non-dma-transfers.patch new file mode 100644 index 00000000000..3234db1181c --- /dev/null +++ b/queue-5.10/spi-bcm2835-bcm2835_spi_handle_err-fix-null-pointer-deref-for-non-dma-transfers.patch @@ -0,0 +1,49 @@ +From 4ceaa684459d414992acbefb4e4c31f2dfc50641 Mon Sep 17 00:00:00 2001 +From: Marc Kleine-Budde +Date: Tue, 19 Jul 2022 09:22:35 +0200 +Subject: spi: bcm2835: bcm2835_spi_handle_err(): fix NULL pointer deref for non DMA transfers + +From: Marc Kleine-Budde + +commit 4ceaa684459d414992acbefb4e4c31f2dfc50641 upstream. + +In case a IRQ based transfer times out the bcm2835_spi_handle_err() +function is called. Since commit 1513ceee70f2 ("spi: bcm2835: Drop +dma_pending flag") the TX and RX DMA transfers are unconditionally +canceled, leading to NULL pointer derefs if ctlr->dma_tx or +ctlr->dma_rx are not set. + +Fix the NULL pointer deref by checking that ctlr->dma_tx and +ctlr->dma_rx are valid pointers before accessing them. + +Fixes: 1513ceee70f2 ("spi: bcm2835: Drop dma_pending flag") +Cc: Lukas Wunner +Signed-off-by: Marc Kleine-Budde +Link: https://lore.kernel.org/r/20220719072234.2782764-1-mkl@pengutronix.de +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + drivers/spi/spi-bcm2835.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +--- a/drivers/spi/spi-bcm2835.c ++++ b/drivers/spi/spi-bcm2835.c +@@ -1174,10 +1174,14 @@ static void bcm2835_spi_handle_err(struc + struct bcm2835_spi *bs = spi_controller_get_devdata(ctlr); + + /* if an error occurred and we have an active dma, then terminate */ +- dmaengine_terminate_sync(ctlr->dma_tx); +- bs->tx_dma_active = false; +- dmaengine_terminate_sync(ctlr->dma_rx); +- bs->rx_dma_active = false; ++ if (ctlr->dma_tx) { ++ dmaengine_terminate_sync(ctlr->dma_tx); ++ bs->tx_dma_active = false; ++ } ++ if (ctlr->dma_rx) { ++ dmaengine_terminate_sync(ctlr->dma_rx); ++ bs->rx_dma_active = false; ++ } + bcm2835_spi_undo_prologue(bs); + + /* and reset */ -- 2.47.3