Re: [PATCH] spi: bcm2835: Fix buffer overflow with CS able to go beyond limit.

[Lukas Wunner <lukas@wunner.de>]

On Fri, Apr 23, 2021 at 05:20:55PM +0100, Mark Brown wrote:
> Part of the issue here is that there has been some variation in how
> num_chipselect is interpreted with regard to GPIO based chip selects
> over time.  It *should* be redundant, I'm not clear why it's in the
> generic bindings at all but that's lost to history AFAICT.

It seems num_chipselect is meant to be set to the maximum number of
*native* chipselects supported by the controller.  Which is overwritten
if GPIO chipselects are used.

I failed to appreciate that when I changed num_chipselects for
spi-bcm2835.c with commit 571e31fa60b3.  That single line change
in the commit ought to be reverted.

And the kernel-doc ought to be amended because the crucial detail
that num_chipselect needs to be set to the maximum *native* chipselects
isn't mentioned anywhere.


> The best thing would be to have it not have a single array of chip
> select specific data and instead store everything in the controller_data
> that's there per-device.

Unfortunately that's non-trivial.  The slave-specific data is DMA-mapped.
It could be DMA-mapped in ->setup but there's no ->unsetup to DMA-unmap
the memory once the slave is removed.  Note that the slave could be removed
dynamically with a DT overlay, not just when the controller is unbound.

So we'd need a new ->unsetup hook at the very least to make this work.

The Foundation's downstream kernel now contains a bandaid commit which
raises the limit to 24 and errors out of ->probe if the limit is exceeded.
I would have preferred if it errored out of ->setup.  That way only
the slaves exceeding the limit would fail to instantiate:

https://github.com/raspberrypi/linux/commit/05f8d5826e28

Thoughts?

Lukas