Without these checks NULL-pointer may be dereferenced in
sh_mmcif_end_cmd parameters inside if (data->flags & MMC_DATA_READ).
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: eae309836509 ("mmc: sh_mmcif: Terminate DMA transactions when detecting timeout or error")
Signed-off-by: Anastasia Belova <abelova@xxxxxxxxxxxxx>
---
drivers/mmc/host/sh_mmcif.c | 19 +++++++++++--------
1 file changed, 11 insertions(+), 8 deletions(-)
diff --git a/drivers/mmc/host/sh_mmcif.c b/drivers/mmc/host/sh_mmcif.c
index 0fd4c9d644dd..f35694acafcc 100644
--- a/drivers/mmc/host/sh_mmcif.c
+++ b/drivers/mmc/host/sh_mmcif.c
@@ -1136,14 +1136,17 @@ static bool sh_mmcif_end_cmd(struct sh_mmcif_host *host)
time = wait_for_completion_interruptible_timeout(&host->dma_complete,
host->timeout);
- if (data->flags & MMC_DATA_READ)
- dma_unmap_sg(host->chan_rx->device->dev,
- data->sg, data->sg_len,
- DMA_FROM_DEVICE);
- else
- dma_unmap_sg(host->chan_tx->device->dev,
- data->sg, data->sg_len,
- DMA_TO_DEVICE);
+ if (data->flags & MMC_DATA_READ) {
+ if (host->chan_rx)
+ sh_mmcif_end_cmd(host->chan_rx->device->dev,
+ data->sg, data->sg_len,
+ DMA_FROM_DEVICE);
+ } else {
+ if (host->chan_tx)
+ dma_unmap_sg(host->chan_tx->device->dev,
+ data->sg, data->sg_len,
+ DMA_TO_DEVICE);
+ }
if (host->sd_error) {
dev_err(host->mmc->parent,
--
2.30.2
