From: Philippe Gerum <rpm@xenomai.org>
To: Dani Sanz <sbrk.modules@gmail.com>
Cc: xenomai@lists.linux.dev
Subject: Re: [PATCH] spi: bcm2835: fix NULL pointer deref for OOB transfers.
Date: Sun, 16 Apr 2023 10:31:42 +0200 [thread overview]
Message-ID: <87edokb4y7.fsf@xenomai.org> (raw)
In-Reply-To: <20230412170927.80793-1-d.sanz@ecler.com>
Dani Sanz <sbrk.modules@gmail.com> writes:
> From: Dani Sanz <sbrk.modules@gmail.com>
>
> There was a problem when calling ioctl(fd, SPI_IOC_ENABLE_OOB_MODE,
> oob_spi_setup) to use spidev in OOB mode after setting up the spidev.
>
> The kernel crashed because on function
> bcm2835_spi_start_oob_transfer(struct spi_controller *ctlr, struct
> spi_oob_transfer *xfer), it tried to access bs->slv->prepare_cs,
> however bs->slv was NULL.
>
> This patch sets the bs->slv value to the correct bcm2835_spidev object
> during bcm2835_spi_setup(struct spi_device *spi), so the NULL pointer
> dereference that happened later is avoided.
>
> Signed-off-by: Dani Sanz <sbrk.modules@gmail.com>
> ---
> drivers/spi/spi-bcm2835.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/drivers/spi/spi-bcm2835.c b/drivers/spi/spi-bcm2835.c
> index 2626abfc0a5b..1051482df945 100644
> --- a/drivers/spi/spi-bcm2835.c
> +++ b/drivers/spi/spi-bcm2835.c
> @@ -1244,6 +1244,8 @@ static int bcm2835_spi_setup(struct spi_device *spi)
>
> spi_set_ctldata(spi, slv);
>
> + bs->slv = slv;
> +
> ret = bcm2835_spi_setup_dma(ctlr, spi, bs, slv);
> if (ret)
> goto err_cleanup;
This bug has been there for quite some time it seems. Merged into
5.15.y, 6.1.y and 6.3, dovetail and evl trees. Thanks for looking into
this.
--
Philippe.
prev parent reply other threads:[~2023-04-16 8:48 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-04-12 17:09 [PATCH] spi: bcm2835: fix NULL pointer deref for OOB transfers Dani Sanz
2023-04-12 21:33 ` Florian Bezdeka
2023-04-13 7:51 ` Philippe Gerum
2023-04-16 8:31 ` Philippe Gerum [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87edokb4y7.fsf@xenomai.org \
--to=rpm@xenomai.org \
--cc=sbrk.modules@gmail.com \
--cc=xenomai@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.