When using mmc_io_rw_extended, it's intent to avoid null pointer of card and invalid func number. But actually it didn't prevent that as the seg_size already use the card. Currently the wrapper function sdio_io_rw_ext_helper already use card before calling mmc_io_rw_extended, so we should move this check to there. As to the func number, it was token from '(ocr & 0x70000000) >> 28' which should be enough to guarantee that it won't be larger than 7. But we should prevent the caller like wifi drivers modify this value. So let's move this check into sdio_io_rw_ext_helper either. Also we remove the BUG_ON for mmc_send_io_op_cond since all possible paths calling this function are protected by checking the arguments in advance. After deploying these changes, we could not see any panic within SDIO API even if func drivers abuse the SDIO func APIs. Signed-off-by: Shawn Lin <shawn.lin@xxxxxxxxxxxxxx> --- Changes in v3: - remove more BUG_ONs for SDIO API and add error rountine for either propagating error codes or casting warning before return. Changes in v2: None drivers/mmc/core/sdio_io.c | 47 ++++++++++++++++++++++++++++++--------------- drivers/mmc/core/sdio_ops.c | 12 +++++------- 2 files changed, 36 insertions(+), 23 deletions(-) diff --git a/drivers/mmc/core/sdio_io.c b/drivers/mmc/core/sdio_io.c index 78cb4d5..0a2350d 100644 --- a/drivers/mmc/core/sdio_io.c +++ b/drivers/mmc/core/sdio_io.c @@ -26,8 +26,8 @@ */ void sdio_claim_host(struct sdio_func *func) { - BUG_ON(!func); - BUG_ON(!func->card); + if (WARN_ON(!func || !func->card)) + return; mmc_claim_host(func->card->host); } @@ -42,8 +42,8 @@ EXPORT_SYMBOL_GPL(sdio_claim_host); */ void sdio_release_host(struct sdio_func *func) { - BUG_ON(!func); - BUG_ON(!func->card); + if (WARN_ON(!func || !func->card)) + return; mmc_release_host(func->card->host); } @@ -62,8 +62,8 @@ int sdio_enable_func(struct sdio_func *func) unsigned char reg; unsigned long timeout; - BUG_ON(!func); - BUG_ON(!func->card); + if (WARN_ON(!func || !func->card)) + return -EINVAL; pr_debug("SDIO: Enabling device %s...\n", sdio_func_id(func)); @@ -112,8 +112,8 @@ int sdio_disable_func(struct sdio_func *func) int ret; unsigned char reg; - BUG_ON(!func); - BUG_ON(!func->card); + if (WARN_ON(!func || !func->card)) + return -EINVAL; pr_debug("SDIO: Disabling device %s...\n", sdio_func_id(func)); @@ -307,6 +307,9 @@ static int sdio_io_rw_ext_helper(struct sdio_func *func, int write, unsigned max_blocks; int ret; + if (!func || (!func->card) || (func->num > 7)) + return -EINVAL; + /* Do the bulk of the transfer using block mode (if supported). */ if (func->card->cccr.multi_block && (size > sdio_max_byte_size(func))) { /* Blocks per command is limited by host count, host transfer @@ -367,7 +370,10 @@ u8 sdio_readb(struct sdio_func *func, unsigned int addr, int *err_ret) int ret; u8 val; - BUG_ON(!func); + if (WARN_ON(!func)) { + *err_ret = -EINVAL; + return 0xFF; + } if (err_ret) *err_ret = 0; @@ -398,7 +404,10 @@ void sdio_writeb(struct sdio_func *func, u8 b, unsigned int addr, int *err_ret) { int ret; - BUG_ON(!func); + if (WARN_ON(!func)) { + *err_ret = -EINVAL; + return; + } ret = mmc_io_rw_direct(func->card, 1, func->num, addr, b, NULL); if (err_ret) @@ -623,7 +632,10 @@ unsigned char sdio_f0_readb(struct sdio_func *func, unsigned int addr, int ret; unsigned char val; - BUG_ON(!func); + if (!func) { + *err_ret = -EINVAL; + return 0xFF; + } if (err_ret) *err_ret = 0; @@ -658,7 +670,10 @@ void sdio_f0_writeb(struct sdio_func *func, unsigned char b, unsigned int addr, { int ret; - BUG_ON(!func); + if (WARN_ON(!func)) { + *err_ret = -EINVAL; + return; + } if ((addr < 0xF0 || addr > 0xFF) && (!mmc_card_lenient_fn0(func->card))) { if (err_ret) @@ -684,8 +699,8 @@ EXPORT_SYMBOL_GPL(sdio_f0_writeb); */ mmc_pm_flag_t sdio_get_host_pm_caps(struct sdio_func *func) { - BUG_ON(!func); - BUG_ON(!func->card); + if (!func || !func->card) + return 0; return func->card->host->pm_caps; } @@ -707,8 +722,8 @@ int sdio_set_host_pm_flags(struct sdio_func *func, mmc_pm_flag_t flags) { struct mmc_host *host; - BUG_ON(!func); - BUG_ON(!func->card); + if (!func || !func->card) + return -EINVAL; host = func->card->host; diff --git a/drivers/mmc/core/sdio_ops.c b/drivers/mmc/core/sdio_ops.c index 34f6e80..279eba2 100644 --- a/drivers/mmc/core/sdio_ops.c +++ b/drivers/mmc/core/sdio_ops.c @@ -24,8 +24,6 @@ int mmc_send_io_op_cond(struct mmc_host *host, u32 ocr, u32 *rocr) struct mmc_command cmd = {0}; int i, err = 0; - BUG_ON(!host); - cmd.opcode = SD_IO_SEND_OP_COND; cmd.arg = ocr; cmd.flags = MMC_RSP_SPI_R4 | MMC_RSP_R4 | MMC_CMD_BCR; @@ -71,8 +69,8 @@ static int mmc_io_rw_direct_host(struct mmc_host *host, int write, unsigned fn, struct mmc_command cmd = {0}; int err; - BUG_ON(!host); - BUG_ON(fn > 7); + if (!host || (fn > 7)) + return -EINVAL; /* sanity check */ if (addr & ~0x1FFFF) @@ -114,7 +112,9 @@ static int mmc_io_rw_direct_host(struct mmc_host *host, int write, unsigned fn, int mmc_io_rw_direct(struct mmc_card *card, int write, unsigned fn, unsigned addr, u8 in, u8 *out) { - BUG_ON(!card); + if (!card) + return -EINVAL; + return mmc_io_rw_direct_host(card->host, write, fn, addr, in, out); } @@ -129,8 +129,6 @@ int mmc_io_rw_extended(struct mmc_card *card, int write, unsigned fn, unsigned int nents, left_size, i; unsigned int seg_size = card->host->max_seg_size; - BUG_ON(!card); - BUG_ON(fn > 7); WARN_ON(blksz == 0); /* sanity check */ -- 2.3.7 -- To unsubscribe from this list: send the line "unsubscribe linux-mmc" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html