On Fri, Sep 30, 2022 at 02:10:28PM +0200, Robin Murphy wrote:
> That said, maybe this is something that's better to catch than to paper
> over? Arguably the real bug here is that spi_unmap_buf() and the new
> sync functions should use the same "{tx,rx}_buf != NULL" condition that
> spi_map_buf() used for the DMA mapping decision in the first place.
The "{tx,rx}_buf != NULL" condition would not sufficient on its own; the
call to ->can_dma() is also part of the condition. __spi_unmap_msg()
already does the ->can_dma() call even though it checks for the
orig_nents != 0 condition instead of the tx,rx_buf != NULL, but I
omitted that call in the new sync functions, incorrectly believing it to
be redundant.
It looks like __spi_unmap_msg() would have triggered a similar crash
even before this patch, if a client had reused an xfer with both rx and
tx the first time, and only one of them enabled the next time around
(and with ->can_dma() returning true both times). Testing the
{tx,rx}_buf instead of sgt->orig_nents would have avoided that, as you
say.
