spi: imx: Fix UAF on package-1 prepare failure in spi_imx_dma_data_prepare()

When transfer->len exceeds MX51_ECSPI_CTRL_MAX_BURST and is not a
multiple of it, spi_imx_dma_data_prepare() splits the transfer into
two DMA packages. If preparing the second package fails:

	ret = spi_imx_dma_tx_data_handle(spi_imx, &spi_imx->dma_data[1],
					 transfer->tx_buf + spi_imx->dma_data[0].data_len,
					 false);
	if (ret) {
		kfree(spi_imx->dma_data[0].dma_tx_buf);
		kfree(spi_imx->dma_data[0].dma_rx_buf);
		kfree(spi_imx->dma_data);
	}
	}

	return 0;

the function frees the package-0 buffers and the dma_data array,
then falls through to `return 0`, telling the caller the prepare
succeeded. The caller then dereferences the freed dma_data array,
producing a use-after-free.

Return the error from the failure path so the caller takes its
existing failure branch.

Fixes: faa8e404ad8e ("spi: imx: support dynamic burst length for ECSPI DMA mode")
Signed-off-by: John Madieu <john.madieu@gmail.com>
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Link: https://patch.msgid.link/20260501135951.2416527-3-john.madieu@gmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>

diff --git a/drivers/spi/spi-imx.c b/drivers/spi/spi-imx.c
index 7ae8078c10efa0b7153b24ee2ced7ba9bc1ff4a1..4e3dbd01d6191ef69eca5e8f0817efe183ab9c30 100644 (file)
--- a/drivers/spi/spi-imx.c
+++ b/drivers/spi/spi-imx.c
@@ -1709,6 +1709,7 @@ static int spi_imx_dma_data_prepare(struct spi_imx_data *spi_imx,
                        kfree(spi_imx->dma_data[0].dma_tx_buf);
                        kfree(spi_imx->dma_data[0].dma_rx_buf);
                        kfree(spi_imx->dma_data);
+                       return ret;
                }
        }