NACK/Cmnt: [SRU][N][PATCH 1/1] spi: spi-imx: Add check for spi_imx_setupxfer()

Alice C. Munduruca alice.munduruca at canonical.com
Thu Oct 16 12:16:21 UTC 2025 

On 16/10/2025 10:58, Alessio Faina wrote:
> From: Tamura Dai <kirinode0 at gmail.com>
> 
> Add check for the return value of spi_imx_setupxfer().
> spi_imx->rx and spi_imx->tx function pointer can be NULL when
> spi_imx_setupxfer() return error, and make NULL pointer dereference.
> 
>  Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
>  Call trace:
>   0x0
>   spi_imx_pio_transfer+0x50/0xd8
>   spi_imx_transfer_one+0x18c/0x858
>   spi_transfer_one_message+0x43c/0x790
>   __spi_pump_transfer_message+0x238/0x5d4
>   __spi_sync+0x2b0/0x454
>   spi_write_then_read+0x11c/0x200
> 
> Signed-off-by: Tamura Dai <kirinode0 at gmail.com>
> Reviewed-by: Carlos Song <carlos.song at nxp.com>
> Link: https://patch.msgid.link/20250417011700.14436-1-kirinode0@gmail.com
> Signed-off-by: Mark Brown <broonie at kernel.org>
> (cherry-picked from commit 951a04ab3a2db4029debfa48d380ef834b93207e)

The cherry pick tag is incorrect, as can be seen on the dashboard at
http://ktml-board.kernel/ktml-exp/.

The proper tag format is as below, which is what `git cherry-pick -esx` does.

(cherry picked from ...)

Otherwise the patch looks good!
 - Alice C. Munduruca

> CVE-2025-37801
> Signed-off-by: Alessio Faina <alessio.faina at canonical.com>
> ---
>  drivers/spi/spi-imx.c | 5 ++++-
>  1 file changed, 4 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/spi/spi-imx.c b/drivers/spi/spi-imx.c
> index 0498cd2ab044..84c0c8f24dbf 100644
> --- a/drivers/spi/spi-imx.c
> +++ b/drivers/spi/spi-imx.c
> @@ -1614,10 +1614,13 @@ static int spi_imx_transfer_one(struct spi_controller *controller,
>  				struct spi_device *spi,
>  				struct spi_transfer *transfer)
>  {
> +	int ret;
>  	struct spi_imx_data *spi_imx = spi_controller_get_devdata(spi->controller);
>  	unsigned long hz_per_byte, byte_limit;
>  
> -	spi_imx_setupxfer(spi, transfer);
> +	ret = spi_imx_setupxfer(spi, transfer);
> +	if (ret < 0)
> +		return ret;
>  	transfer->effective_speed_hz = spi_imx->spi_bus_clk;
>  
>  	/* flush rxfifo before transfer */
> -- 
> 2.43.0

More information about the kernel-team mailing list