[PATCH] mmc: sh_mmcif: Add check for NULL for host->chan_yx and host->chan_rx in sh_mmcif_end_cmd

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Without these checks NULL-pointer may be dereferenced in
sh_mmcif_end_cmd parameters inside if (data->flags & MMC_DATA_READ).

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Fixes: eae309836509 ("mmc: sh_mmcif: Terminate DMA transactions when detecting timeout or error")
Signed-off-by: Anastasia Belova <abelova@xxxxxxxxxxxxx>
---
 drivers/mmc/host/sh_mmcif.c | 19 +++++++++++--------
 1 file changed, 11 insertions(+), 8 deletions(-)

diff --git a/drivers/mmc/host/sh_mmcif.c b/drivers/mmc/host/sh_mmcif.c
index 0fd4c9d644dd..f35694acafcc 100644
--- a/drivers/mmc/host/sh_mmcif.c
+++ b/drivers/mmc/host/sh_mmcif.c
@@ -1136,14 +1136,17 @@ static bool sh_mmcif_end_cmd(struct sh_mmcif_host *host)
 	time = wait_for_completion_interruptible_timeout(&host->dma_complete,
 							 host->timeout);
 
-	if (data->flags & MMC_DATA_READ)
-		dma_unmap_sg(host->chan_rx->device->dev,
-			     data->sg, data->sg_len,
-			     DMA_FROM_DEVICE);
-	else
-		dma_unmap_sg(host->chan_tx->device->dev,
-			     data->sg, data->sg_len,
-			     DMA_TO_DEVICE);
+	if (data->flags & MMC_DATA_READ) {
+		if (host->chan_rx)
+			sh_mmcif_end_cmd(host->chan_rx->device->dev,
+					data->sg, data->sg_len,
+					DMA_FROM_DEVICE);
+	} else {
+		if (host->chan_tx)
+			dma_unmap_sg(host->chan_tx->device->dev,
+					data->sg, data->sg_len,
+					DMA_TO_DEVICE);
+	}
 
 	if (host->sd_error) {
 		dev_err(host->mmc->parent,
-- 
2.30.2




[Index of Archives]     [Linux Memonry Technology]     [Linux USB Devel]     [Linux Media]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux