mmc: davinci_mmc: Prevent transmitted data size from exceeding sgm's length

No check is done on the size of the data to be transmiited. This causes
a kernel panic when this size exceeds the sg_miter's length.

Limit the number of transmitted bytes to sgm->length.

Cc: stable@vger.kernel.org
Fixes: ed01d210fd91 ("mmc: davinci_mmc: Use sg_miter for PIO")
Signed-off-by: Bastien Curutchet <bastien.curutchet@bootlin.com>
Link: https://lore.kernel.org/r/20240711081838.47256-2-bastien.curutchet@bootlin.com
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>

diff --git a/drivers/mmc/host/davinci_mmc.c b/drivers/mmc/host/davinci_mmc.c
index d7427894e0bc9f6bc70e11cc048511c1bc44463d..c302eb380e427efb41d18f45dd90e1c24382e0c4 100644 (file)
--- a/drivers/mmc/host/davinci_mmc.c
+++ b/drivers/mmc/host/davinci_mmc.c
@@ -224,6 +224,9 @@ static void davinci_fifo_data_trans(struct mmc_davinci_host *host,
        }
        p = sgm->addr;
 
+       if (n > sgm->length)
+               n = sgm->length;
+
        /* NOTE:  we never transfer more than rw_threshold bytes
         * to/from the fifo here; there's no I/O overlap.
         * This also assumes that access width( i.e. ACCWD) is 4 bytes