On Thu, 11 Jul 2024 at 10:18, Bastien Curutchet
<bastien.curutchet@xxxxxxxxxxx> wrote:
>
> No check is done on the size of the data to be transmiited. This causes
> a kernel panic when this size exceeds the sg_miter's length.
>
> Limit the number of transmitted bytes to sgm->length.
>
> Cc: stable@xxxxxxxxxxxxxxx
> Fixes: ed01d210fd91 ("mmc: davinci_mmc: Use sg_miter for PIO")
> Signed-off-by: Bastien Curutchet <bastien.curutchet@xxxxxxxxxxx>
Applied for fixes, thanks!
Kind regards
Uffe
> ---
> drivers/mmc/host/davinci_mmc.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/drivers/mmc/host/davinci_mmc.c b/drivers/mmc/host/davinci_mmc.c
> index d7427894e0bc..c302eb380e42 100644
> --- a/drivers/mmc/host/davinci_mmc.c
> +++ b/drivers/mmc/host/davinci_mmc.c
> @@ -224,6 +224,9 @@ static void davinci_fifo_data_trans(struct mmc_davinci_host *host,
> }
> p = sgm->addr;
>
> + if (n > sgm->length)
> + n = sgm->length;
> +
> /* NOTE: we never transfer more than rw_threshold bytes
> * to/from the fifo here; there's no I/O overlap.
> * This also assumes that access width( i.e. ACCWD) is 4 bytes
> --
> 2.45.0
>
