spi: spi-imx: Add check for spi_imx_setupxfer()

[ Upstream commit 951a04ab3a2db4029debfa48d380ef834b93207e ]

Add check for the return value of spi_imx_setupxfer().
spi_imx->rx and spi_imx->tx function pointer can be NULL when
spi_imx_setupxfer() return error, and make NULL pointer dereference.

 Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
 Call trace:
  0x0
  spi_imx_pio_transfer+0x50/0xd8
  spi_imx_transfer_one+0x18c/0x858
  spi_transfer_one_message+0x43c/0x790
  __spi_pump_transfer_message+0x238/0x5d4
  __spi_sync+0x2b0/0x454
  spi_write_then_read+0x11c/0x200

Signed-off-by: Tamura Dai <kirinode0@gmail.com>
Reviewed-by: Carlos Song <carlos.song@nxp.com>
Link: https://patch.msgid.link/20250417011700.14436-1-kirinode0@gmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/drivers/spi/spi-imx.c b/drivers/spi/spi-imx.c
index daa32bde615561bd06dcb84a3c3f75ab32739fa8..da4442954375b1a8de2e07d74a8c90a8294aa888 100644 (file)
--- a/drivers/spi/spi-imx.c
+++ b/drivers/spi/spi-imx.c
@@ -1614,10 +1614,13 @@ static int spi_imx_transfer_one(struct spi_controller *controller,
                                struct spi_device *spi,
                                struct spi_transfer *transfer)
 {
+       int ret;
        struct spi_imx_data *spi_imx = spi_controller_get_devdata(spi->controller);
        unsigned long hz_per_byte, byte_limit;
 
-       spi_imx_setupxfer(spi, transfer);
+       ret = spi_imx_setupxfer(spi, transfer);
+       if (ret < 0)
+               return ret;
        transfer->effective_speed_hz = spi_imx->spi_bus_clk;
 
        /* flush rxfifo before transfer */