diff options
author | Bastien Curutchet <bastien.curutchet@bootlin.com> | 2024-07-11 11:18:37 +0300 |
---|---|---|
committer | Ulf Hansson <ulf.hansson@linaro.org> | 2024-07-11 18:48:54 +0300 |
commit | 16198eef11c1929374381d7f6271b4bf6aa44615 (patch) | |
tree | 0f631006be8d9c0107dcfcccf79d1d027102b5e3 | |
parent | 63d20a94f24fc1cbaf44d0e7c0e0a8077fde0aef (diff) | |
download | linux-16198eef11c1929374381d7f6271b4bf6aa44615.tar.xz |
mmc: davinci_mmc: Prevent transmitted data size from exceeding sgm's length
No check is done on the size of the data to be transmiited. This causes
a kernel panic when this size exceeds the sg_miter's length.
Limit the number of transmitted bytes to sgm->length.
Cc: stable@vger.kernel.org
Fixes: ed01d210fd91 ("mmc: davinci_mmc: Use sg_miter for PIO")
Signed-off-by: Bastien Curutchet <bastien.curutchet@bootlin.com>
Link: https://lore.kernel.org/r/20240711081838.47256-2-bastien.curutchet@bootlin.com
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
-rw-r--r-- | drivers/mmc/host/davinci_mmc.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/drivers/mmc/host/davinci_mmc.c b/drivers/mmc/host/davinci_mmc.c index d7427894e0bc..c302eb380e42 100644 --- a/drivers/mmc/host/davinci_mmc.c +++ b/drivers/mmc/host/davinci_mmc.c @@ -224,6 +224,9 @@ static void davinci_fifo_data_trans(struct mmc_davinci_host *host, } p = sgm->addr; + if (n > sgm->length) + n = sgm->length; + /* NOTE: we never transfer more than rw_threshold bytes * to/from the fifo here; there's no I/O overlap. * This also assumes that access width( i.e. ACCWD) is 4 bytes |