mmc: davinci_mmc: Prevent transmitted data size from exceeding sgm's length

commit 16198eef11c1929374381d7f6271b4bf6aa44615 upstream. No check is done on the size of the data to be transmiited. This causes a kernel panic when this size exceeds the sg_miter's length. Limit the number of transmitted bytes to sgm->length. Cc: stable@vger.kernel.org Fixes: ed01d210fd91 ("mmc: davinci_mmc: Use sg_miter for PIO") Signed-off-by: Bastien Curutchet <bastien.curutchet@bootlin.com> Link: https://lore.kernel.org/r/20240711081838.47256-2-bastien.curutchet@bootlin.com Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
author: Bastien Curutchet <bastien.curutchet@bootlin.com> 2024-07-11 10:18:37 +0200
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2024-07-18 13:22:51 +0200
commit: c561c4ecce712f94b442db5960e281f13b28df2e (patch)
tree: 9294e56726e4a89c9bd6ad69bea4451b6807a638
parent: bf78b1accef46efd9b624967cb74ae8d3c215a2b (diff)
1 files changed, 3 insertions, 0 deletions
diff --git a/drivers/mmc/host/davinci_mmc.c b/drivers/mmc/host/davinci_mmc.c
index d7427894e0bc..c302eb380e42 100644
--- a/drivers/mmc/host/davinci_mmc.c
+++ b/drivers/mmc/host/davinci_mmc.c
@@ -224,6 +224,9 @@ static void davinci_fifo_data_trans(struct mmc_davinci_host *host,
 	}
 	p = sgm->addr;
 
+	if (n > sgm->length)
+		n = sgm->length;
+
 	/* NOTE:  we never transfer more than rw_threshold bytes
 	 * to/from the fifo here; there's no I/O overlap.
 	 * This also assumes that access width( i.e. ACCWD) is 4 bytes
author	Bastien Curutchet <bastien.curutchet@bootlin.com>	2024-07-11 10:18:37 +0200
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2024-07-18 13:22:51 +0200
commit	c561c4ecce712f94b442db5960e281f13b28df2e (patch)
tree	9294e56726e4a89c9bd6ad69bea4451b6807a638
parent	bf78b1accef46efd9b624967cb74ae8d3c215a2b (diff)