`sf probe` calls spi_flash_probe_bus_cs() which returns whatever device
matches the given chip select, regardless of its type. On boards where
a non-flash device (e.g. MMC) shares the SPI bus at cs 0, `sf probe 0`
would silently use that device as a flash handle, causing undefined
behavior.

Check that the returned device belongs to UCLASS_SPI_FLASH before
dereferencing its uclass private data.

Fixes: fbb099183e3a ("dm: Convert spi_flash_probe() and 'sf probe' to use 
driver model")
Signed-off-by: Nia Su <[email protected]>
---
 cmd/sf.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/cmd/sf.c b/cmd/sf.c
index 
b5b7f671fb972b7bfe9ef60283b4c06431ce1ac0..ec9ebde2aaf032f2a2f435e0d95f1805603afb0e
 100644
--- a/cmd/sf.c
+++ b/cmd/sf.c
@@ -137,8 +137,14 @@ static int do_spi_flash_probe(int argc, char *const argv[])
        flash = NULL;
        if (use_dt) {
                ret = spi_flash_probe_bus_cs(bus, cs, &new);
-               if (!ret)
-                       flash = dev_get_uclass_priv(new);
+               if (!ret) {
+                       if (device_get_uclass_id(new) == UCLASS_SPI_FLASH) {
+                               flash = dev_get_uclass_priv(new);
+                       } else {
+                               printf("SF: device at %u:%u is not a SPI 
flash\n", bus, cs);
+                               ret = -ENODEV;
+                       }
+               }
        } else {
                flash = spi_flash_probe(bus, cs, speed, mode);
        }

---
base-commit: 1a8b7ad50aed5f5f0a4ccbfd455233919c097293
change-id: 20260608-sf-validate-uclass-4b4973c5302b

--

Reply via email to