[U-Boot] [PATCH] dm: mmc_spi: Fix NULL pointer dereference in mmc_spi_bind()
The mmc_spi driver's priv is not available in its bind phase(). Use platdata instead.
Fixes: 05e35d429745 ("mmc: mmc_spi: Re-write driver using DM framework") Signed-off-by: Bin Meng bmeng.cn@gmail.com ---
drivers/mmc/mmc_spi.c | 35 ++++++++++++++++++++--------------- 1 file changed, 20 insertions(+), 15 deletions(-)
diff --git a/drivers/mmc/mmc_spi.c b/drivers/mmc/mmc_spi.c index 350812a..c693fb2 100644 --- a/drivers/mmc/mmc_spi.c +++ b/drivers/mmc/mmc_spi.c @@ -58,12 +58,15 @@ #define READ_TIMEOUT 3000000 /* 1 sec */ #define WRITE_TIMEOUT 3000000 /* 1 sec */
-struct mmc_spi_priv { - struct spi_slave *spi; +struct mmc_spi_plat { struct mmc_config cfg; struct mmc mmc; };
+struct mmc_spi_priv { + struct spi_slave *spi; +}; + static int mmc_spi_sendcmd(struct udevice *dev, ushort cmdidx, u32 cmdarg, u32 resp_type, u8 *resp, u32 resp_size, @@ -370,6 +373,7 @@ done: static int mmc_spi_probe(struct udevice *dev) { struct mmc_spi_priv *priv = dev_get_priv(dev); + struct mmc_spi_plat *plat = dev_get_platdata(dev); struct mmc_uclass_priv *upriv = dev_get_uclass_priv(dev); char *name;
@@ -385,28 +389,28 @@ static int mmc_spi_probe(struct udevice *dev) return -ENOMEM; sprintf(name, "%s:%s", dev->parent->name, dev->name);
- priv->cfg.name = name; - priv->cfg.host_caps = MMC_MODE_SPI; - priv->cfg.voltages = MMC_SPI_VOLTAGE; - priv->cfg.f_min = MMC_SPI_MIN_CLOCK; - priv->cfg.f_max = priv->spi->max_hz; - priv->cfg.part_type = PART_TYPE_DOS; - priv->cfg.b_max = CONFIG_SYS_MMC_MAX_BLK_COUNT; + plat->cfg.name = name; + plat->cfg.host_caps = MMC_MODE_SPI; + plat->cfg.voltages = MMC_SPI_VOLTAGE; + plat->cfg.f_min = MMC_SPI_MIN_CLOCK; + plat->cfg.f_max = priv->spi->max_hz; + plat->cfg.part_type = PART_TYPE_DOS; + plat->cfg.b_max = CONFIG_SYS_MMC_MAX_BLK_COUNT;
- priv->mmc.cfg = &priv->cfg; - priv->mmc.priv = priv; - priv->mmc.dev = dev; + plat->mmc.cfg = &plat->cfg; + plat->mmc.priv = priv; + plat->mmc.dev = dev;
- upriv->mmc = &priv->mmc; + upriv->mmc = &plat->mmc;
return 0; }
static int mmc_spi_bind(struct udevice *dev) { - struct mmc_spi_priv *priv = dev_get_priv(dev); + struct mmc_spi_plat *plat = dev_get_platdata(dev);
- return mmc_bind(dev, &priv->mmc, &priv->cfg); + return mmc_bind(dev, &plat->mmc, &plat->cfg); }
static const struct dm_mmc_ops mmc_spi_ops = { @@ -426,5 +430,6 @@ U_BOOT_DRIVER(mmc_spi) = { .ops = &mmc_spi_ops, .probe = mmc_spi_probe, .bind = mmc_spi_bind, + .platdata_auto_alloc_size = sizeof(struct mmc_spi_plat), .priv_auto_alloc_size = sizeof(struct mmc_spi_priv), };
Subject: [PATCH] dm: mmc_spi: Fix NULL pointer dereference in mmc_spi_bind()
The mmc_spi driver's priv is not available in its bind phase(). Use platdata instead.
Fixes: 05e35d429745 ("mmc: mmc_spi: Re-write driver using DM framework") Signed-off-by: Bin Meng bmeng.cn@gmail.com
drivers/mmc/mmc_spi.c | 35 ++++++++++++++++++++--------------- 1 file changed, 20 insertions(+), 15 deletions(-)
diff --git a/drivers/mmc/mmc_spi.c b/drivers/mmc/mmc_spi.c index 350812a..c693fb2 100644 --- a/drivers/mmc/mmc_spi.c +++ b/drivers/mmc/mmc_spi.c @@ -58,12 +58,15 @@ #define READ_TIMEOUT 3000000 /* 1 sec */ #define WRITE_TIMEOUT 3000000 /* 1 sec */
-struct mmc_spi_priv {
- struct spi_slave *spi;
+struct mmc_spi_plat { struct mmc_config cfg; struct mmc mmc; };
+struct mmc_spi_priv {
- struct spi_slave *spi;
+};
static int mmc_spi_sendcmd(struct udevice *dev, ushort cmdidx, u32 cmdarg, u32 resp_type, u8 *resp, u32 resp_size, @@ -370,6 +373,7 @@ done: static int mmc_spi_probe(struct udevice *dev) { struct mmc_spi_priv *priv = dev_get_priv(dev);
- struct mmc_spi_plat *plat = dev_get_platdata(dev); struct mmc_uclass_priv *upriv = dev_get_uclass_priv(dev); char *name;
@@ -385,28 +389,28 @@ static int mmc_spi_probe(struct udevice *dev) return -ENOMEM; sprintf(name, "%s:%s", dev->parent->name, dev->name);
- priv->cfg.name = name;
- priv->cfg.host_caps = MMC_MODE_SPI;
- priv->cfg.voltages = MMC_SPI_VOLTAGE;
- priv->cfg.f_min = MMC_SPI_MIN_CLOCK;
- priv->cfg.f_max = priv->spi->max_hz;
- priv->cfg.part_type = PART_TYPE_DOS;
- priv->cfg.b_max = CONFIG_SYS_MMC_MAX_BLK_COUNT;
- plat->cfg.name = name;
- plat->cfg.host_caps = MMC_MODE_SPI;
- plat->cfg.voltages = MMC_SPI_VOLTAGE;
- plat->cfg.f_min = MMC_SPI_MIN_CLOCK;
- plat->cfg.f_max = priv->spi->max_hz;
- plat->cfg.part_type = PART_TYPE_DOS;
- plat->cfg.b_max = CONFIG_SYS_MMC_MAX_BLK_COUNT;
- priv->mmc.cfg = &priv->cfg;
- priv->mmc.priv = priv;
- priv->mmc.dev = dev;
- plat->mmc.cfg = &plat->cfg;
- plat->mmc.priv = priv;
- plat->mmc.dev = dev;
- upriv->mmc = &priv->mmc;
upriv->mmc = &plat->mmc;
return 0;
}
static int mmc_spi_bind(struct udevice *dev) {
- struct mmc_spi_priv *priv = dev_get_priv(dev);
- struct mmc_spi_plat *plat = dev_get_platdata(dev);
- return mmc_bind(dev, &priv->mmc, &priv->cfg);
- return mmc_bind(dev, &plat->mmc, &plat->cfg);
}
static const struct dm_mmc_ops mmc_spi_ops = { @@ -426,5 +430,6 @@ U_BOOT_DRIVER(mmc_spi) = { .ops = &mmc_spi_ops, .probe = mmc_spi_probe, .bind = mmc_spi_bind,
- .platdata_auto_alloc_size = sizeof(struct mmc_spi_plat), .priv_auto_alloc_size = sizeof(struct mmc_spi_priv), };
Reviewed-by: Peng Fan peng.fan@nxp.com
-- 2.7.4
participants (2)
-
Bin Meng -
Peng Fan