linux/drivers
Nicolas Iooss f93fd0ca5e net: ax88796c: do not receive data in pointer
Function axspi_read_status calls:

    ret = spi_write_then_read(ax_spi->spi, ax_spi->cmd_buf, 1,
                              (u8 *)&status, 3);

status is a pointer to a struct spi_status, which is 3-byte wide:

    struct spi_status {
        u16 isr;
        u8 status;
    };

But &status is the pointer to this pointer, and spi_write_then_read does
not dereference this parameter:

    int spi_write_then_read(struct spi_device *spi,
                            const void *txbuf, unsigned n_tx,
                            void *rxbuf, unsigned n_rx)

Therefore axspi_read_status currently receive a SPI response in the
pointer status, which overwrites 24 bits of the pointer.

Thankfully, on Little-Endian systems, the pointer is only used in

    le16_to_cpus(&status->isr);

... which is a no-operation. So there, the overwritten pointer is not
dereferenced. Nevertheless on Big-Endian systems, this can lead to
dereferencing pointers after their 24 most significant bits were
overwritten. And in all systems this leads to possible use of
uninitialized value in functions calling spi_write_then_read which
expect status to be initialized when the function returns.

Moreover function axspi_read_status (and macro AX_READ_STATUS) do not
seem to be used anywhere. So currently this seems to be dead code. Fix
the issue anyway so that future code works properly when using function
axspi_read_status.

Fixes: a97c69ba4f ("net: ax88796c: ASIX AX88796C SPI Ethernet Adapter Driver")

Signed-off-by: Nicolas Iooss <nicolas.iooss_linux@m4x.org>
Acked-by: Łukasz Stelmach <l.stelmach@samsung.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2021-11-22 14:32:05 +00:00
..
accessibility
acpi More ACPI updates for 5.16-rc1 2021-11-10 11:52:40 -08:00
amba
android Char/Misc driver update for 5.16-rc1 2021-11-04 08:21:47 -07:00
ata libata: libahci: declare ahci_shost_attr_group as static 2021-11-12 08:05:47 +09:00
atm
auxdisplay
base arch_topology: Fix missing clear cluster_cpumask in remove_cpu_topology() 2021-11-11 13:09:33 +01:00
bcma pci-v5.16-changes 2021-11-06 14:36:12 -07:00
block for-5.16/drivers-2021-11-09 2021-11-09 11:24:08 -08:00
bluetooth TTY / Serial driver update for 5.16-rc1 2021-11-04 09:09:37 -07:00
bus - Config updates for BMIPS platform 2021-11-13 09:11:33 -08:00
cdrom for-5.16/cdrom-2021-10-29 2021-11-01 10:09:14 -07:00
char Char/Misc driver update for 5.16-rc1 2021-11-04 08:21:47 -07:00
clk Devicetree fixes for v5.16, take 1: 2021-11-14 11:11:51 -08:00
clocksource ARM: 2021-11-02 11:24:14 -07:00
comedi comedi: dt9812: fix DMA buffers on stack 2021-10-30 10:54:47 +02:00
connector
counter
cpufreq cpufreq: intel_pstate: Clear HWP Status during HWP Interrupt enable 2021-11-04 19:48:47 +01:00
cpuidle ARM: SoC drivers for 5.16 2021-11-03 17:00:52 -07:00
crypto pci-v5.16-changes 2021-11-06 14:36:12 -07:00
cxl cxl for v5.16 2021-11-08 11:49:48 -08:00
dax
dca
devfreq Merge branches 'pm-opp' and 'pm-cpufreq' 2021-11-10 14:06:51 +01:00
dio
dma dmaengine updates for v5.16-rc1 2021-11-10 11:47:55 -08:00
dma-buf drm next/fixes for 5.16-rc1 2021-11-12 12:11:07 -08:00
edac - amd64_edac: Add support for three-rank interleaving mode which is 2021-11-01 15:02:49 -07:00
eisa
extcon extcon: usbc-tusb320: Add support for TUSB320L 2021-10-27 14:13:39 +09:00
firewire SCSI misc on 20211105 2021-11-05 08:42:02 -07:00
firmware Merge branch 'exit-cleanups-for-v5.16' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace 2021-11-10 16:15:54 -08:00
fpga
fsi
gnss
gpio gpio updates for v5.16 2021-11-08 11:55:21 -08:00
gpu drm next/fixes for 5.16-rc1 2021-11-12 12:11:07 -08:00
greybus
hid Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/hid/hid 2021-11-05 08:31:51 -07:00
hsi HSI changes for the 5.16 series 2021-11-04 13:56:55 -07:00
hv Drivers: hv: balloon: Use VMBUS_RING_SIZE() wrapper for dm_ring_size 2021-11-15 12:35:56 +00:00
hwmon Merge branch 'akpm' (patches from Andrew) 2021-11-06 14:08:17 -07:00
hwspinlock
hwtracing coresight: trbe: Work around write to out of range 2021-10-27 11:46:01 -06:00
i2c More ACPI updates for 5.16-rc1 2021-11-10 11:52:40 -08:00
i3c
idle
iio chrome platform changes for 5.16 2021-11-10 11:36:43 -08:00
infiniband SCSI misc on 20211105 2021-11-05 08:42:02 -07:00
input Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input 2021-11-12 11:53:16 -08:00
interconnect
iommu pci-v5.16-changes 2021-11-06 14:36:12 -07:00
ipack
irqchip irqchip/sifive-plic: Fixup EOI failed when masked 2021-11-12 16:09:51 +00:00
isdn
leds
macintosh Merge branch 'akpm' (patches from Andrew) 2021-11-06 14:08:17 -07:00
mailbox mailbox: imx: support i.MX8ULP S4 MU 2021-10-29 23:03:09 -05:00
mcb
md for-5.16/drivers-2021-11-09 2021-11-09 11:24:08 -08:00
media More ACPI updates for 5.16-rc1 2021-11-10 11:52:40 -08:00
memory
memstick
message pci-v5.16-changes 2021-11-06 14:36:12 -07:00
mfd chrome platform changes for 5.16 2021-11-10 11:36:43 -08:00
misc More ACPI updates for 5.16-rc1 2021-11-10 11:52:40 -08:00
mmc Merge branch 'akpm' (patches from Andrew) 2021-11-06 14:08:17 -07:00
most most: fix control-message timeouts 2021-10-26 19:12:01 +02:00
mtd for-5.16/drivers-2021-11-09 2021-11-09 11:24:08 -08:00
mux
net net: ax88796c: do not receive data in pointer 2021-11-22 14:32:05 +00:00
nfc nfc: pn533: Fix double free when pn533_fill_fragment_skbs() fails 2021-11-07 19:37:04 +00:00
ntb
nubus
nvdimm libnvdimm for v5.16 2021-11-10 10:56:02 -08:00
nvme for-5.16/block-2021-11-09 2021-11-09 11:20:07 -08:00
nvmem
of Devicetree fixes for v5.16, take 1: 2021-11-14 11:11:51 -08:00
opp
parisc
parport
pci A set of fixes for the interrupt subsystem: 2021-11-14 10:38:27 -08:00
pcmcia Core: 2021-11-02 06:20:58 -07:00
perf ACPI updates for 5.16-rc1 2021-11-02 15:58:39 -07:00
phy Char/Misc driver update for 5.16-rc1 2021-11-04 08:21:47 -07:00
pinctrl Pin control changes for the v5.16 kernel cycle 2021-11-05 08:24:17 -07:00
platform chrome platform changes for 5.16 2021-11-10 11:36:43 -08:00
pnp
power power: supply: bq25890: Fix initial setting of the F_CONV_RATE field 2021-11-02 16:48:47 +01:00
powercap
pps
ps3
ptp ptp: ocp: Fix a couple NULL vs IS_ERR() checks 2021-11-18 12:12:55 +00:00
pwm pwm: vt8500: Rename pwm_busy_wait() to make it obviously driver-specific 2021-11-05 11:57:13 +01:00
rapidio rapidio: avoid bogus __alloc_size warning 2021-11-06 13:30:33 -07:00
ras
regulator - Remove Drivers 2021-11-08 12:07:52 -08:00
remoteproc
reset ARM: SoC drivers for 5.16 2021-11-03 17:00:52 -07:00
rpmsg remoteproc updates for v5.16 2021-11-10 09:07:26 -08:00
rtc RTC for 5.16 2021-11-12 11:44:31 -08:00
s390 s390/cio: check the subchannel validity for dev_busid 2021-11-08 14:17:49 +01:00
sbus
scsi SCSI misc on 20211112 2021-11-12 12:25:50 -08:00
sh
siox
slimbus
soc Merge branch 'exit-cleanups-for-v5.16' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace 2021-11-10 16:15:54 -08:00
soundwire
spi spi: Updates for v5.16 2021-11-01 19:09:04 -07:00
spmi
ssb
staging Merge branch 'exit-cleanups-for-v5.16' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace 2021-11-10 16:15:54 -08:00
target SCSI misc on 20211112 2021-11-12 12:25:50 -08:00
tc
tee Char/Misc driver update for 5.16-rc1 2021-11-04 08:21:47 -07:00
thermal thermal: int340x: fix build on 32-bit targets 2021-11-12 10:56:25 -08:00
thunderbolt thunderbolt: Changes for v5.16 merge window 2021-10-25 13:17:29 +02:00
tty TTY / Serial driver update for 5.16-rc1 2021-11-04 09:09:37 -07:00
uio Drivers: hv: vmbus: Mark vmbus ring buffer visible to host in Isolation VM 2021-10-28 11:22:23 +00:00
usb USB fixes for 5.16-rc1 2021-11-11 09:40:15 -08:00
vdpa vhost,virtio,vhost: fixes,features 2021-11-03 15:00:39 -07:00
vfio
vhost vdpa: Introduce and use vdpa device get, set config helpers 2021-11-01 05:26:49 -04:00
video parisc/sticon: fix reverse colors 2021-11-17 11:04:02 +01:00
virt
virtio virtio-mem: support VIRTIO_MEM_F_UNPLUGGED_INACCESSIBLE 2021-11-10 15:32:38 +01:00
visorbus
vlynq
vme
w1
watchdog linux-watchdog 5.16-rc1 tag 2021-11-10 09:41:22 -08:00
xen xen: branch for v5.16-rc1 2021-11-10 11:14:21 -08:00
zorro
Kconfig
Makefile