From: Greg Kroah-Hartman Date: Sun, 24 Jul 2022 14:49:31 +0000 (+0200) Subject: 5.4-stable patches X-Git-Tag: v5.10.133~28 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=93a8c580ca482e7490c7e35d8f177ba2541f1211;p=thirdparty%2Fkernel%2Fstable-queue.git 5.4-stable patches added patches: spi-bcm2835-bcm2835_spi_handle_err-fix-null-pointer-deref-for-non-dma-transfers.patch --- diff --git a/queue-5.4/series b/queue-5.4/series index cd4b457cb9d..59d05b1a77c 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -52,3 +52,4 @@ tcp-fix-a-data-race-around-sysctl_tcp_retrans_collap.patch tcp-fix-a-data-race-around-sysctl_tcp_stdurg.patch tcp-fix-a-data-race-around-sysctl_tcp_rfc1337.patch tcp-fix-data-races-around-sysctl_tcp_max_reordering.patch +spi-bcm2835-bcm2835_spi_handle_err-fix-null-pointer-deref-for-non-dma-transfers.patch diff --git a/queue-5.4/spi-bcm2835-bcm2835_spi_handle_err-fix-null-pointer-deref-for-non-dma-transfers.patch b/queue-5.4/spi-bcm2835-bcm2835_spi_handle_err-fix-null-pointer-deref-for-non-dma-transfers.patch new file mode 100644 index 00000000000..14defc21dc3 --- /dev/null +++ b/queue-5.4/spi-bcm2835-bcm2835_spi_handle_err-fix-null-pointer-deref-for-non-dma-transfers.patch @@ -0,0 +1,49 @@ +From 4ceaa684459d414992acbefb4e4c31f2dfc50641 Mon Sep 17 00:00:00 2001 +From: Marc Kleine-Budde +Date: Tue, 19 Jul 2022 09:22:35 +0200 +Subject: spi: bcm2835: bcm2835_spi_handle_err(): fix NULL pointer deref for non DMA transfers + +From: Marc Kleine-Budde + +commit 4ceaa684459d414992acbefb4e4c31f2dfc50641 upstream. + +In case a IRQ based transfer times out the bcm2835_spi_handle_err() +function is called. Since commit 1513ceee70f2 ("spi: bcm2835: Drop +dma_pending flag") the TX and RX DMA transfers are unconditionally +canceled, leading to NULL pointer derefs if ctlr->dma_tx or +ctlr->dma_rx are not set. + +Fix the NULL pointer deref by checking that ctlr->dma_tx and +ctlr->dma_rx are valid pointers before accessing them. + +Fixes: 1513ceee70f2 ("spi: bcm2835: Drop dma_pending flag") +Cc: Lukas Wunner +Signed-off-by: Marc Kleine-Budde +Link: https://lore.kernel.org/r/20220719072234.2782764-1-mkl@pengutronix.de +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + drivers/spi/spi-bcm2835.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +--- a/drivers/spi/spi-bcm2835.c ++++ b/drivers/spi/spi-bcm2835.c +@@ -1159,10 +1159,14 @@ static void bcm2835_spi_handle_err(struc + struct bcm2835_spi *bs = spi_controller_get_devdata(ctlr); + + /* if an error occurred and we have an active dma, then terminate */ +- dmaengine_terminate_sync(ctlr->dma_tx); +- bs->tx_dma_active = false; +- dmaengine_terminate_sync(ctlr->dma_rx); +- bs->rx_dma_active = false; ++ if (ctlr->dma_tx) { ++ dmaengine_terminate_sync(ctlr->dma_tx); ++ bs->tx_dma_active = false; ++ } ++ if (ctlr->dma_rx) { ++ dmaengine_terminate_sync(ctlr->dma_rx); ++ bs->rx_dma_active = false; ++ } + bcm2835_spi_undo_prologue(bs); + + /* and reset */