All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH] spi: spi-zynq-qspi: fix stack violation bug
@ 2020-12-04  9:13 ` Karen Dombroski
  0 siblings, 0 replies; 4+ messages in thread
From: Karen Dombroski @ 2020-12-04  9:13 UTC (permalink / raw)
  To: Mark Brown; +Cc: Michal Simek, linux-spi, linux-arm-kernel, linux-kernel

When the number of bytes for the op is greater than one, the read could
run off the end of the function stack and cause a crash.

This patch restores the behaviour of safely reading out of the original
opcode location.

Fixes: caf72df48be3 ("spi: spi-mem: allow specifying a command's
extension")
Signed-off-by: Karen Dombroski <karen.dombroski@marsbioimaging.com>
Reviewed-off-by: Amit Kumar Mahapatra <amit.kumar-mahapatra@xilinx.com>
---
CR-1084036
---
 drivers/spi/spi-zynq-qspi.c | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/drivers/spi/spi-zynq-qspi.c b/drivers/spi/spi-zynq-qspi.c
index 5d8a5ee62fa2..2765289028fa 100644
--- a/drivers/spi/spi-zynq-qspi.c
+++ b/drivers/spi/spi-zynq-qspi.c
@@ -528,18 +528,17 @@ static int zynq_qspi_exec_mem_op(struct spi_mem *mem,
       struct zynq_qspi *xqspi = spi_controller_get_devdata(mem->spi->master);
       int err = 0, i;
       u8 *tmpbuf;
-       u8 opcode = op->cmd.opcode;

       dev_dbg(xqspi->dev, "cmd:%#x mode:%d.%d.%d.%d\n",
-               opcode, op->cmd.buswidth, op->addr.buswidth,
+               op->cmd.opcode, op->cmd.buswidth, op->addr.buswidth,
               op->dummy.buswidth, op->data.buswidth);

       zynq_qspi_chipselect(mem->spi, true);
       zynq_qspi_config_op(xqspi, mem->spi);

-       if (op->cmd.nbytes) {
+       if (op->cmd.opcode) {
               reinit_completion(&xqspi->data_completion);
-               xqspi->txbuf = &opcode;
+               xqspi->txbuf = (u8 *)&op->cmd.opcode;
               xqspi->rxbuf = NULL;
               xqspi->tx_bytes = op->cmd.nbytes;
               xqspi->rx_bytes = op->cmd.nbytes;
--
2.17.1

^ permalink raw reply related	[flat|nested] 4+ messages in thread
* [PATCH] spi: spi-zynq-qspi: fix stack violation bug
@ 2020-12-04  9:13 ` Karen Dombroski
  0 siblings, 0 replies; 4+ messages in thread
From: Karen Dombroski @ 2020-12-04  9:13 UTC (permalink / raw)
  To: Mark Brown; +Cc: linux-kernel, Michal Simek, linux-arm-kernel, linux-spi

When the number of bytes for the op is greater than one, the read could
run off the end of the function stack and cause a crash.

This patch restores the behaviour of safely reading out of the original
opcode location.

Fixes: caf72df48be3 ("spi: spi-mem: allow specifying a command's
extension")
Signed-off-by: Karen Dombroski <karen.dombroski@marsbioimaging.com>
Reviewed-off-by: Amit Kumar Mahapatra <amit.kumar-mahapatra@xilinx.com>
---
CR-1084036
---
 drivers/spi/spi-zynq-qspi.c | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/drivers/spi/spi-zynq-qspi.c b/drivers/spi/spi-zynq-qspi.c
index 5d8a5ee62fa2..2765289028fa 100644
--- a/drivers/spi/spi-zynq-qspi.c
+++ b/drivers/spi/spi-zynq-qspi.c
@@ -528,18 +528,17 @@ static int zynq_qspi_exec_mem_op(struct spi_mem *mem,
       struct zynq_qspi *xqspi = spi_controller_get_devdata(mem->spi->master);
       int err = 0, i;
       u8 *tmpbuf;
-       u8 opcode = op->cmd.opcode;

       dev_dbg(xqspi->dev, "cmd:%#x mode:%d.%d.%d.%d\n",
-               opcode, op->cmd.buswidth, op->addr.buswidth,
+               op->cmd.opcode, op->cmd.buswidth, op->addr.buswidth,
               op->dummy.buswidth, op->data.buswidth);

       zynq_qspi_chipselect(mem->spi, true);
       zynq_qspi_config_op(xqspi, mem->spi);

-       if (op->cmd.nbytes) {
+       if (op->cmd.opcode) {
               reinit_completion(&xqspi->data_completion);
-               xqspi->txbuf = &opcode;
+               xqspi->txbuf = (u8 *)&op->cmd.opcode;
               xqspi->rxbuf = NULL;
               xqspi->tx_bytes = op->cmd.nbytes;
               xqspi->rx_bytes = op->cmd.nbytes;
--
2.17.1

_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

^ permalink raw reply related	[flat|nested] 4+ messages in thread
* Re: [PATCH] spi: spi-zynq-qspi: fix stack violation bug
  2020-12-04  9:13 ` Karen Dombroski
@ 2020-12-04 17:50   ` Mark Brown
  -1 siblings, 0 replies; 4+ messages in thread
From: Mark Brown @ 2020-12-04 17:50 UTC (permalink / raw)
  To: Karen Dombroski; +Cc: Michal Simek, linux-spi, linux-arm-kernel, linux-kernel

[-- Attachment #1: Type: text/plain, Size: 564 bytes --]

On Fri, Dec 04, 2020 at 10:13:19PM +1300, Karen Dombroski wrote:
> When the number of bytes for the op is greater than one, the read could
> run off the end of the function stack and cause a crash.

This doesn't apply against current code, please check and resend:

Applying: spi: spi-zynq-qspi: fix stack violation bug
Using index info to reconstruct a base tree...
error: patch failed: drivers/spi/spi-zynq-qspi.c:528
error: drivers/spi/spi-zynq-qspi.c: patch does not apply
error: Did you hand edit your patch?
It does not apply to blobs recorded in its index.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: [PATCH] spi: spi-zynq-qspi: fix stack violation bug
@ 2020-12-04 17:50   ` Mark Brown
  0 siblings, 0 replies; 4+ messages in thread
From: Mark Brown @ 2020-12-04 17:50 UTC (permalink / raw)
  To: Karen Dombroski; +Cc: linux-kernel, Michal Simek, linux-arm-kernel, linux-spi


[-- Attachment #1.1: Type: text/plain, Size: 564 bytes --]

On Fri, Dec 04, 2020 at 10:13:19PM +1300, Karen Dombroski wrote:
> When the number of bytes for the op is greater than one, the read could
> run off the end of the function stack and cause a crash.

This doesn't apply against current code, please check and resend:

Applying: spi: spi-zynq-qspi: fix stack violation bug
Using index info to reconstruct a base tree...
error: patch failed: drivers/spi/spi-zynq-qspi.c:528
error: drivers/spi/spi-zynq-qspi.c: patch does not apply
error: Did you hand edit your patch?
It does not apply to blobs recorded in its index.

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

[-- Attachment #2: Type: text/plain, Size: 176 bytes --]

_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2020-12-04 17:52 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-12-04  9:13 [PATCH] spi: spi-zynq-qspi: fix stack violation bug Karen Dombroski
2020-12-04  9:13 ` Karen Dombroski
2020-12-04 17:50 ` Mark Brown
2020-12-04 17:50   ` Mark Brown

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.