spi: spi-mt65xx: Fix NULL pointer access in interrupt handler

[ Upstream commit a20ad45008a7c82f1184dc6dee280096009ece55 ]

The TX buffer in spi_transfer can be a NULL pointer, so the interrupt
handler may end up writing to the invalid memory and cause crashes.

Add a check to trans->tx_buf before using it.

Fixes: 1ce24864bff4 ("spi: mediatek: Only do dma for 4-byte aligned buffers")
Signed-off-by: Fei Shao <fshao@chromium.org>
Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Link: https://msgid.link/r/20240321070942.1587146-2-fshao@chromium.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/drivers/spi/spi-mt65xx.c b/drivers/spi/spi-mt65xx.c
index 8d5d170d49cc44686940a79d5bc9a80244dce4d1..109dac2e69df25299ad95432dbfbe2969fb158cc 100644 (file)
--- a/drivers/spi/spi-mt65xx.c
+++ b/drivers/spi/spi-mt65xx.c
@@ -787,17 +787,19 @@ static irqreturn_t mtk_spi_interrupt(int irq, void *dev_id)
                mdata->xfer_len = min(MTK_SPI_MAX_FIFO_SIZE, len);
                mtk_spi_setup_packet(host);
 
-               cnt = mdata->xfer_len / 4;
-               iowrite32_rep(mdata->base + SPI_TX_DATA_REG,
-                               trans->tx_buf + mdata->num_xfered, cnt);
+               if (trans->tx_buf) {
+                       cnt = mdata->xfer_len / 4;
+                       iowrite32_rep(mdata->base + SPI_TX_DATA_REG,
+                                       trans->tx_buf + mdata->num_xfered, cnt);
 
-               remainder = mdata->xfer_len % 4;
-               if (remainder > 0) {
-                       reg_val = 0;
-                       memcpy(&reg_val,
-                               trans->tx_buf + (cnt * 4) + mdata->num_xfered,
-                               remainder);
-                       writel(reg_val, mdata->base + SPI_TX_DATA_REG);
+                       remainder = mdata->xfer_len % 4;
+                       if (remainder > 0) {
+                               reg_val = 0;
+                               memcpy(&reg_val,
+                                       trans->tx_buf + (cnt * 4) + mdata->num_xfered,
+                                       remainder);
+                               writel(reg_val, mdata->base + SPI_TX_DATA_REG);
+                       }
                }
 
                mtk_spi_enable_transfer(host);