]> git.ipfire.org Git - thirdparty/kernel/linux.git/commitdiff
projects / thirdparty / kernel / linux.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 539d805)
mtk-sd: Prevent memory corruption from DMA map failure
authorMasami Hiramatsu (Google) <mhiramat@kernel.org>
Thu, 12 Jun 2025 11:26:10 +0000 (20:26 +0900)
committerUlf Hansson <ulf.hansson@linaro.org>
Thu, 19 Jun 2025 11:00:40 +0000 (13:00 +0200)
If msdc_prepare_data() fails to map the DMA region, the request is
not prepared for data receiving, but msdc_start_data() proceeds
the DMA with previous setting.
Since this will lead a memory corruption, we have to stop the
request operation soon after the msdc_prepare_data() fails to
prepare it.

Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
Fixes: 208489032bdd ("mmc: mediatek: Add Mediatek MMC driver")
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/174972756982.3337526.6755001617701603082.stgit@mhiramat.tok.corp.google.com
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
drivers/mmc/host/mtk-sd.c patch | blob | blame | history

diff --git a/drivers/mmc/host/mtk-sd.c b/drivers/mmc/host/mtk-sd.c
index b1d1586cf1fc60ad280e118eb420d9d037b1b9e1..b12cfb9a5e5f4e1e07046172b2f0f324311983f6 100644 (file)
--- a/drivers/mmc/host/mtk-sd.c
+++ b/drivers/mmc/host/mtk-sd.c
@@ -853,6 +853,11 @@ static void msdc_prepare_data(struct msdc_host *host, struct mmc_data *data)
        }
 }
 
+static bool msdc_data_prepared(struct mmc_data *data)
+{
+       return data->host_cookie & MSDC_PREPARE_FLAG;
+}
+
 static void msdc_unprepare_data(struct msdc_host *host, struct mmc_data *data)
 {
        if (data->host_cookie & MSDC_ASYNC_FLAG)
@@ -1484,8 +1489,18 @@ static void msdc_ops_request(struct mmc_host *mmc, struct mmc_request *mrq)
        WARN_ON(!host->hsq_en && host->mrq);
        host->mrq = mrq;
 
-       if (mrq->data)
+       if (mrq->data) {
                msdc_prepare_data(host, mrq->data);
+               if (!msdc_data_prepared(mrq->data)) {
+                       /*
+                        * Failed to prepare DMA area, fail fast before
+                        * starting any commands.
+                        */
+                       mrq->cmd->error = -ENOSPC;
+                       mmc_request_done(mmc_from_priv(host), mrq);
+                       return;
+               }
+       }
 
        /* if SBC is required, we have HW option and SW option.
         * if HW option is enabled, and SBC does not have "special" flags,
A mirror of Linus' kernel repository