From: Joakim Tjernlund Date: Sat, 22 May 2010 08:18:02 +0000 (-0600) Subject: spi/spi_mpc8xxx: fix potential memory corruption. X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=f9218c2a60facc6ff9a793a9d9ab956194d70012;p=GitHub%2FLineageOS%2FG12%2Fandroid_kernel_amlogic_linux-4.9.git spi/spi_mpc8xxx: fix potential memory corruption. tx_dma/rx_dma are already set to a dummy buffer when no tx/rx buffer and t->tx_dma/t->rx_dma does not contain a dma address, but NULL. This may lead to corruption of kernel memory. Fix this by leaving tx_dma/rx_dma alone. Do not INIT_TX_RX while controller is enabled, this is bad according to the MPC8321 manual. Signed-off-by: Joakim Tjernlund Acked-by: Anton Vorontsov Signed-off-by: Grant Likely --- diff --git a/drivers/spi/spi_mpc8xxx.c b/drivers/spi/spi_mpc8xxx.c index 14d052316502..0dfc482bbff5 100644 --- a/drivers/spi/spi_mpc8xxx.c +++ b/drivers/spi/spi_mpc8xxx.c @@ -241,7 +241,6 @@ static void mpc8xxx_spi_change_mode(struct spi_device *spi) /* Turn off SPI unit prior changing mode */ mpc8xxx_spi_write_reg(mode, cs->hw_mode & ~SPMODE_ENABLE); - mpc8xxx_spi_write_reg(mode, cs->hw_mode); /* When in CPM mode, we need to reinit tx and rx. */ if (mspi->flags & SPI_CPM_MODE) { @@ -258,7 +257,7 @@ static void mpc8xxx_spi_change_mode(struct spi_device *spi) } } } - + mpc8xxx_spi_write_reg(mode, cs->hw_mode); local_irq_restore(flags); } @@ -438,7 +437,7 @@ static int mpc8xxx_spi_cpm_bufs(struct mpc8xxx_spi *mspi, dev_err(dev, "unable to map tx dma\n"); return -ENOMEM; } - } else { + } else if (t->tx_buf) { mspi->tx_dma = t->tx_dma; } @@ -449,7 +448,7 @@ static int mpc8xxx_spi_cpm_bufs(struct mpc8xxx_spi *mspi, dev_err(dev, "unable to map rx dma\n"); goto err_rx_dma; } - } else { + } else if (t->rx_buf) { mspi->rx_dma = t->rx_dma; }