nvmem: zynqmp_nvmem: Fix buffer size in DMA and memcpy

commit f9b88613ff402aa6fe8fd020573cb95867ae947e upstream.

Buffer size used in dma allocation and memcpy is wrong.
It can lead to undersized DMA buffer access and possible
memory corruption. use correct buffer size in dma_alloc_coherent
and memcpy.

Fixes: 737c0c8d07b5 ("nvmem: zynqmp_nvmem: Add support to access efuse")
Cc: stable@vger.kernel.org
Signed-off-by: Ivan Vera <ivanverasantos@gmail.com>
Signed-off-by: Harish Ediga <harish.ediga@amd.com>
Signed-off-by: Harsh Jain <h.jain@amd.com>
Signed-off-by: Srinivas Kandagatla <srini@kernel.org>
Link: https://patch.msgid.link/20260327131645.3025781-3-srini@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/nvmem/zynqmp_nvmem.c b/drivers/nvmem/zynqmp_nvmem.c
index 7da717d6c7faf3536c0a4e31ba9d3f21ea0ab577..d297ff150dc02465b36f6dd16eb8be6accc88aad 100644 (file)
--- a/drivers/nvmem/zynqmp_nvmem.c
+++ b/drivers/nvmem/zynqmp_nvmem.c
@@ -66,7 +66,7 @@ static int zynqmp_efuse_access(void *context, unsigned int offset,
        dma_addr_t dma_buf;
        size_t words = bytes / WORD_INBYTES;
        int ret;
-       int value;
+       unsigned int value;
        char *data;
 
        if (bytes % WORD_INBYTES != 0) {
@@ -80,7 +80,7 @@ static int zynqmp_efuse_access(void *context, unsigned int offset,
        }
 
        if (pufflag == 1 && flag == EFUSE_WRITE) {
-               memcpy(&value, val, bytes);
+               memcpy(&value, val, sizeof(value));
                if ((offset == EFUSE_PUF_START_OFFSET ||
                     offset == EFUSE_PUF_MID_OFFSET) &&
                    value & P_USER_0_64_UPPER_MASK) {
@@ -100,7 +100,7 @@ static int zynqmp_efuse_access(void *context, unsigned int offset,
        if (!efuse)
                return -ENOMEM;
 
-       data = dma_alloc_coherent(dev, sizeof(bytes),
+       data = dma_alloc_coherent(dev, bytes,
                                  &dma_buf, GFP_KERNEL);
        if (!data) {
                ret = -ENOMEM;
@@ -134,7 +134,7 @@ static int zynqmp_efuse_access(void *context, unsigned int offset,
        if (flag == EFUSE_READ)
                memcpy(val, data, bytes);
 efuse_access_err:
-       dma_free_coherent(dev, sizeof(bytes),
+       dma_free_coherent(dev, bytes,
                          data, dma_buf);
 efuse_data_fail:
        dma_free_coherent(dev, sizeof(struct xilinx_efuse),