[PATCH AUTOSEL 6.19] spi: spi-dw-dma: fix print error log when wait finish transaction

[Sasha Levin <sashal@kernel.org>]

From: Vladimir Yakovlev <vovchkir@gmail.com>

[ Upstream commit 3b46d61890632c8f8b117147b6923bff4b42ccb7 ]

If an error occurs, the device may not have a current message. In this
case, the system will crash.

In this case, it's better to use dev from the struct ctlr (struct spi_controller*).

Signed-off-by: Vladimir Yakovlev <vovchkir@gmail.com>
Link: https://patch.msgid.link/20260302222017.992228-2-vovchkir@gmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---

LLM Generated explanations, may be completely bogus:

The analysis is clear. When `dw_spi_dma_wait` times out, `cur_msg` could
potentially be NULL or in an inconsistent state. Dereferencing
`dws->ctlr->cur_msg->spi->dev` through a chain of 3 pointer dereferences
when `cur_msg` could be NULL causes a NULL pointer dereference crash.

The fix simply uses `dws->ctlr->dev` instead, which is always valid
since it's the controller's own device - guaranteed to exist as long as
the controller exists.

## Analysis

### What the commit fixes
This commit fixes a potential NULL pointer dereference crash in the SPI
DW DMA driver. When a DMA transaction times out in `dw_spi_dma_wait()`,
the error logging path accesses `dws->ctlr->cur_msg->spi->dev`. If
`cur_msg` is NULL (which can happen on error paths, as the SPI core sets
it to NULL in various places), this causes a kernel crash. The fix uses
`dws->ctlr->dev` instead, which is always valid.

### Meets stable kernel rules
1. **Obviously correct**: The fix is a single-line change replacing an
   unsafe pointer chain with a safe, always-valid device reference. The
   controller device (`ctlr->dev`) is always valid as long as the
   controller is registered.
2. **Fixes a real bug**: NULL pointer dereference leading to a kernel
   crash.
3. **Important issue**: Kernel crash/oops in a commonly used SPI driver.
4. **Small and contained**: One line change in one file.
5. **No new features**: Pure bug fix.

### Risk assessment
- **Risk**: Extremely low. The fix simply changes which `struct device
  *` is used for `dev_err()` logging. The worst case is the error
  message shows a slightly different device name in the log.
- **Benefit**: Prevents a kernel crash when a DMA transfer times out.

### Dependency check
The fix uses `ctlr` which was renamed from `host` in commit
`b926b15547d29` (Oct 2025). For older stable trees (pre-6.12 or so), the
field was named `master` or `host`, so the backport would need trivial
adaptation (changing `ctlr` to `host` or `master` depending on the
tree). The buggy code has been present since commit `bdbdf0f06337d`
(v5.8, May 2020), so all supported stable trees would benefit.

### Verification
- `git log -p --follow -S 'cur_msg->spi->dev'` confirmed the buggy
  pattern was introduced in commit `bdbdf0f06337d` (v5.8 era, 2020)
- `git tag --contains bdbdf0f06337d` confirmed it's in stable branches
  p-5.10, p-5.15, p-6.1
- `git show b926b15547d29` confirmed the `host` -> `ctlr` rename touched
  this exact line, creating a dependency for clean backport to newer
  stable trees
- Read of `spi.c` confirmed `cur_msg` is set to NULL in multiple places
  (lines 1910, 2198, 4480), validating the crash scenario
- The fix only changes the `struct device *` argument to `dev_err()`,
  which has zero functional impact beyond logging

**YES**

 drivers/spi/spi-dw-dma.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/spi/spi-dw-dma.c b/drivers/spi/spi-dw-dma.c
index 65adec7c7524b..fe726b9b1780d 100644
--- a/drivers/spi/spi-dw-dma.c
+++ b/drivers/spi/spi-dw-dma.c
@@ -271,7 +271,7 @@ static int dw_spi_dma_wait(struct dw_spi *dws, unsigned int len, u32 speed)
 					 msecs_to_jiffies(ms));
 
 	if (ms == 0) {
-		dev_err(&dws->ctlr->cur_msg->spi->dev,
+		dev_err(&dws->ctlr->dev,
 			"DMA transaction timed out\n");
 		return -ETIMEDOUT;
 	}
-- 
2.51.0