> > For RPMB, block count is a non-zero 16 bit wide number. Reject invalid Actually this is not what limits the number of rpmb frames to be read, As those are not indicated in the block_count field of the rpmb frame, But in CMD23. While it is true that by eMMCv52 RPMB_SIZE_MULT max value is 0x80, Which limits the RPMB are to 16M, or 65535 rpmb frames, I don't think that it is up to the host to validate the rpmb frame content - The device will return the appropriate error should such an error occur. Also, specs are changing from time to time, so hard-coding 65535 is less appropriate. > values from userspace instead of just masking the unneeded bits. Tested > with a modified 'mmc-utils' package. > > Signed-off-by: Wolfram Sang <wsa+renesas@xxxxxxxxxxxxxxxxxxxx> > --- > drivers/mmc/core/block.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/drivers/mmc/core/block.c b/drivers/mmc/core/block.c > index c35b5b08bb33..9e0f7e4aa8c6 100644 > --- a/drivers/mmc/core/block.c > +++ b/drivers/mmc/core/block.c > @@ -550,6 +550,9 @@ static int __mmc_blk_ioctl_cmd(struct mmc_card > *card, struct mmc_blk_data *md, > } > > if (idata->rpmb) { > + if (data.blocks > 65535 || !data.blocks) > + return -EINVAL; > + Other than my comment above, this series looks fine to me. Thanks, Avri