Bug in stm32h7xx_hal_spi.c when using HAL_SPI_TransmitReceive_IT()

Question

I believe I discovered a bug in the SPI driver in relation to using HAL_SPI_TransmitReceive_IT() that causes buffer overflows, which also made it tricky to discover.

In our project, I had switched our SPI handlers to from blocking to non-blocking using the interrupt APIs.

The bug happens when calling HAL_SPI_TransmitReceive_IT() which hits:

HAL_StatusTypeDef HAL_SPI_TransmitReceive_IT(SPI_HandleTypeDef *hspi, const uint8_t *pTxData, uint8_t *pRxData, uint16_t Size)
{
 ...
 /* Fill in the TxFIFO */
 while ((__HAL_SPI_GET_FLAG(hspi, SPI_FLAG_TXP)) && (tmp_TxXferCount != 0UL))
 {
 ...
 hspi->pTxBuffPtr += sizeof(~);
 hspi->TxXferCount--; // <--- This decrements until 0
 ...

Then when an interrupt hits for SPI_TxISR_32BIT, SPI_TxISR_16BIT, or SPI_TxISR_8BIT it hits:

static void SPI_TxISR_8BIT(SPI_HandleTypeDef *hspi)
{
 /* Transmit data in 8 Bit mode */
 *(__IO uint8_t *)&hspi->Instance->TXDR = *((const uint8_t *)hspi->pTxBuffPtr);
 hspi->pTxBuffPtr += sizeof(uint8_t);
 hspi->TxXferCount--; // <---- Decrement without check, causing a rollover therefore an overflow

I fixed this locally by adding a condition check in the TxISR and RxISR handlers to this:

static void SPI_TxISR_8BIT(SPI_HandleTypeDef *hspi)
{
 /* Transmit data in 8 Bit mode */
 *(__IO uint8_t *)&hspi->Instance->TXDR = *((const uint8_t *)hspi->pTxBuffPtr);

 if(hspi->TxXferCount > 0) // <--- Make sure not zero
 {
 hspi->pTxBuffPtr += sizeof(uint8_t);
 hspi->TxXferCount--;
 }

Let me know your thoughts.

Regards.

Saket_Om · Accepted Answer

Hello @AGreen 3rdEye The issue has been resolved, and the fix is now available on GitHub.

Imen.D · Answer

Hi @AGreen 3rdEye Issue is confirmed and our team is working to resolve this for impacted SPI HAL.Thank you for your contribution.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded