tmakin/tegra-linux-noble
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

mmc: davinci_mmc: Prevent transmitted data size from exceeding sgm's length

Browse Source 
BugLink: https://bugs.launchpad.net/bugs/2078289

commit 16198eef11c1929374381d7f6271b4bf6aa44615 upstream.

No check is done on the size of the data to be transmiited. This causes
a kernel panic when this size exceeds the sg_miter's length.

Limit the number of transmitted bytes to sgm->length.

Cc: stable@vger.kernel.org
Fixes: ed01d210fd91 ("mmc: davinci_mmc: Use sg_miter for PIO")
Signed-off-by: Bastien Curutchet <bastien.curutchet@bootlin.com>
Link: https://lore.kernel.org/r/20240711081838.47256-2-bastien.curutchet@bootlin.com
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Portia Stephens <portia.stephens@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
This commit is contained in:
Bastien Curutchet
2024-07-11 10:18:37 +02:00
committed by Stefan Bader
parent 84736a4f0d
commit beca68adfa
1 changed files with 3 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
drivers/mmc/host/davinci_mmc.c
+3
View File
@@ -238,6 +238,9 @@ static void davinci_fifo_data_trans(struct mmc_davinci_host *host,
host->buffer_bytes_left -= n;
host->bytes_left -= n;
if (n > sgm->length)
n = sgm->length;
/* NOTE: we never transfer more than rw_threshold bytes
* to/from the fifo here; there's no I/O overlap.
* This also assumes that access width( i.e. ACCWD) is 4 bytes