On Thu, 11 Jul 2024 at 10:18, Bastien Curutchet bastien.curutchet@bootlin.com wrote:
No check is done on the size of the data to be transmiited. This causes a kernel panic when this size exceeds the sg_miter's length.
Limit the number of transmitted bytes to sgm->length.
Cc: stable@vger.kernel.org Fixes: ed01d210fd91 ("mmc: davinci_mmc: Use sg_miter for PIO") Signed-off-by: Bastien Curutchet bastien.curutchet@bootlin.com
Applied for fixes, thanks!
Kind regards Uffe
drivers/mmc/host/davinci_mmc.c | 3 +++ 1 file changed, 3 insertions(+)
diff --git a/drivers/mmc/host/davinci_mmc.c b/drivers/mmc/host/davinci_mmc.c index d7427894e0bc..c302eb380e42 100644 --- a/drivers/mmc/host/davinci_mmc.c +++ b/drivers/mmc/host/davinci_mmc.c @@ -224,6 +224,9 @@ static void davinci_fifo_data_trans(struct mmc_davinci_host *host, } p = sgm->addr;
if (n > sgm->length)n = sgm->length;/* NOTE: we never transfer more than rw_threshold bytes * to/from the fifo here; there's no I/O overlap. * This also assumes that access width( i.e. ACCWD) is 4 bytes-- 2.45.0