From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1754308AbdESMx7 (ORCPT <rfc822;w@1wt.eu>);
        Fri, 19 May 2017 08:53:59 -0400
Received: from sh1.xit.com.hk ([111.91.236.50]:51242 "EHLO sh1.xit.com.hk"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1750814AbdESMx4 (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 19 May 2017 08:53:56 -0400
X-Greylist: delayed 508 seconds by postgrey-1.27 at vger.kernel.org; Fri, 19 May 2017 08:53:55 EDT
Subject: Re: [PATCH 1/1] spi: imx: fix issue when tx_buf or rx_buf is NULL
To: jiada_wang@mentor.com, broonie@kernel.org
References: <1495101672-3384-1-git-send-email-jiada_wang@mentor.com>
Cc: linux-spi@vger.kernel.org, linux-kernel@vger.kernel.org,
        leonard.crestez@nxp.com
From: Chris Ruehl <chris.ruehl@gtsys.com.hk>
Message-ID: <94de6e6d-a2fa-6589-151b-660bbcb42773@gtsys.com.hk>
Date: Fri, 19 May 2017 20:45:18 +0800
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101
 Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <1495101672-3384-1-git-send-email-jiada_wang@mentor.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org


On Thursday, May 18, 2017 06:01 PM, jiada_wang@mentor.com wrote:
> From: Jiada Wang <jiada_wang@mentor.com>
>
> In case either transfer->tx_buf or transfer->rx_buf is NULL,
> manipulation of buffer in spi_imx_u32_swap_u[8|16]() will cause
> NULL pointer dereference crash.
>
> Add buffer check at very beginning of spi_imx_u32_swap_u[8|16](),
> to avoid such crash.
>
> Signed-off-by: Jiada Wang <jiada_wang@mentor.com>
> Reported-by: Leonard Crestez <leonard.crestez@nxp.com>
> ---
>  drivers/spi/spi-imx.c | 6 ++++++
>  1 file changed, 6 insertions(+)
>
> diff --git a/drivers/spi/spi-imx.c b/drivers/spi/spi-imx.c
> index 782045f..19b30cf 100644
> --- a/drivers/spi/spi-imx.c
> +++ b/drivers/spi/spi-imx.c
> @@ -288,6 +288,9 @@ static void spi_imx_u32_swap_u8(struct spi_transfer *transfer, u32 *buf)
>  {
>  	int i;
>
> +	if (!buf)
> +		return;
> +
>  	for (i = 0; i < transfer->len / 4; i++)
>  		*(buf + i) = cpu_to_be32(*(buf + i));
>  }
> @@ -296,6 +299,9 @@ static void spi_imx_u32_swap_u16(struct spi_transfer *transfer, u32 *buf)
>  {
>  	int i;
>
> +	if (!buf)
> +		return;
> +
>  	for (i = 0; i < transfer->len / 4; i++) {
>  		u16 *temp = (u16 *)buf;
>
>

Hi, thanks for the patch.

But I think we missing something here. We return from a void function()
so the error keeps hidden. The root cause is calling this functions with a NULL 
pointer. See if you can fix this by find the caller and check if the parameter 
hand over are valid.

Cheers
Chris


-- 
GTSYS Limited RFID Technology
9/F, Unit E, R07, Kwai Shing Industrial Building Phase 2,
42-46 Tai Lin Pai Road, Kwai Chung, N.T., Hong Kong
Tel (852) 9079 9521

Disclaimer: http://www.gtsys.com.hk/email/classified.html