[PATCH 2/3] spi: imx: Fix UAF on package-1 prepare failure in spi_imx_dma_data_prepare()
Frank Li
Frank.li at nxp.com
Fri May 1 21:49:33 PDT 2026
On Fri, May 01, 2026 at 01:59:50PM +0000, John Madieu wrote:
> When transfer->len exceeds MX51_ECSPI_CTRL_MAX_BURST and is not a
> multiple of it, spi_imx_dma_data_prepare() splits the transfer into
> two DMA packages. If preparing the second package fails:
>
> ret = spi_imx_dma_tx_data_handle(spi_imx, &spi_imx->dma_data[1],
> transfer->tx_buf + spi_imx->dma_data[0].data_len,
> false);
> if (ret) {
> kfree(spi_imx->dma_data[0].dma_tx_buf);
> kfree(spi_imx->dma_data[0].dma_rx_buf);
> kfree(spi_imx->dma_data);
> }
> }
Nit: duplicated }
>
> return 0;
>
> the function frees the package-0 buffers and the dma_data array,
> then falls through to `return 0`, telling the caller the prepare
> succeeded. The caller then dereferences the freed dma_data array,
> producing a use-after-free.
>
> Return the error from the failure path so the caller takes its
> existing failure branch.
>
> Fixes: faa8e404ad8e ("spi: imx: support dynamic burst length for ECSPI DMA mode")
> Signed-off-by: John Madieu <john.madieu at gmail.com>
> ---
Reviewed-by: Frank Li <Frank.Li at nxp.com>
> drivers/spi/spi-imx.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/drivers/spi/spi-imx.c b/drivers/spi/spi-imx.c
> index 7ae8078c10ef..4e3dbd01d619 100644
> --- a/drivers/spi/spi-imx.c
> +++ b/drivers/spi/spi-imx.c
> @@ -1709,6 +1709,7 @@ static int spi_imx_dma_data_prepare(struct spi_imx_data *spi_imx,
> kfree(spi_imx->dma_data[0].dma_tx_buf);
> kfree(spi_imx->dma_data[0].dma_rx_buf);
> kfree(spi_imx->dma_data);
> + return ret;
> }
> }
>
> --
> 2.25.1
>
More information about the linux-arm-kernel
mailing list