summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorBastien Curutchet <bastien.curutchet@bootlin.com>2024-07-11 11:18:37 +0300
committerUlf Hansson <ulf.hansson@linaro.org>2024-07-11 18:48:54 +0300
commit16198eef11c1929374381d7f6271b4bf6aa44615 (patch)
tree0f631006be8d9c0107dcfcccf79d1d027102b5e3
parent63d20a94f24fc1cbaf44d0e7c0e0a8077fde0aef (diff)
downloadlinux-16198eef11c1929374381d7f6271b4bf6aa44615.tar.xz
mmc: davinci_mmc: Prevent transmitted data size from exceeding sgm's length
No check is done on the size of the data to be transmiited. This causes a kernel panic when this size exceeds the sg_miter's length. Limit the number of transmitted bytes to sgm->length. Cc: stable@vger.kernel.org Fixes: ed01d210fd91 ("mmc: davinci_mmc: Use sg_miter for PIO") Signed-off-by: Bastien Curutchet <bastien.curutchet@bootlin.com> Link: https://lore.kernel.org/r/20240711081838.47256-2-bastien.curutchet@bootlin.com Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
-rw-r--r--drivers/mmc/host/davinci_mmc.c3
1 files changed, 3 insertions, 0 deletions
diff --git a/drivers/mmc/host/davinci_mmc.c b/drivers/mmc/host/davinci_mmc.c
index d7427894e0bc..c302eb380e42 100644
--- a/drivers/mmc/host/davinci_mmc.c
+++ b/drivers/mmc/host/davinci_mmc.c
@@ -224,6 +224,9 @@ static void davinci_fifo_data_trans(struct mmc_davinci_host *host,
}
p = sgm->addr;
+ if (n > sgm->length)
+ n = sgm->length;
+
/* NOTE: we never transfer more than rw_threshold bytes
* to/from the fifo here; there's no I/O overlap.
* This also assumes that access width( i.e. ACCWD) is 4 bytes