mmc: davinci_mmc: Prevent transmitted data size from exceeding sgm's length

bastien-curutchet · storulf · commit 16198eef11c1 · 2024-07-11T17:48:54.000+02:00
No check is done on the size of the data to be transmiited. This causes a kernel panic when this size exceeds the sg_miter's length. Limit the number of transmitted bytes to sgm->length. Cc: stable@vger.kernel.org Fixes: ed01d21 ("mmc: davinci_mmc: Use sg_miter for PIO") Signed-off-by: Bastien Curutchet <bastien.curutchet@bootlin.com> Link: https://lore.kernel.org/r/20240711081838.47256-2-bastien.curutchet@bootlin.com Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
diff --git a/drivers/mmc/host/davinci_mmc.c b/drivers/mmc/host/davinci_mmc.c
@@ -224,6 +224,9 @@ static void davinci_fifo_data_trans(struct mmc_davinci_host *host,
 	}
 	p = sgm->addr;
 
+	if (n > sgm->length)
+		n = sgm->length;
+
 	/* NOTE:  we never transfer more than rw_threshold bytes
 	 * to/from the fifo here; there's no I/O overlap.
 	 * This also assumes that access width( i.e. ACCWD) is 4 bytes

Original file line number	Diff line number	Diff line change
`@@ -224,6 +224,9 @@ static void davinci_fifo_data_trans(struct mmc_davinci_host *host,`
`224`	`224`	`}`
`225`	`225`	`p = sgm->addr;`
`226`	`226`
	`227`	`+ if (n > sgm->length)`
	`228`	`+ n = sgm->length;`
	`229`	`+`
`227`	`230`	`/* NOTE: we never transfer more than rw_threshold bytes`
`228`	`231`	`* to/from the fifo here; there's no I/O overlap.`
`229`	`232`	`* This also assumes that access width( i.e. ACCWD) is 4 bytes`