From patchwork Thu Nov 17 12:30:07 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Anastasia Belova <abelova@astralinux.ru>
X-Patchwork-Id: 21638
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:adf:f944:0:0:0:0:0 with SMTP id q4csp373333wrr;
        Thu, 17 Nov 2022 04:35:02 -0800 (PST)
X-Google-Smtp-Source: 
 AA0mqf7AK3dd6iTOuprnFRwKaszEYRKGvdGobLPpc1bNS9nwt/hUbEIj7LSfZLFDE28X8MWr8+a4
X-Received: by 2002:a17:906:4e46:b0:7ae:129b:2d3a with SMTP id
 g6-20020a1709064e4600b007ae129b2d3amr1932403ejw.552.1668688502562;
        Thu, 17 Nov 2022 04:35:02 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1668688502; cv=none;
        d=google.com; s=arc-20160816;
        b=X6oXTcFvlBhiuKxBtgepEPAiEOH44sfPf/xNRlhFW7k8VzgpYi9GqtIdQ6ouV4R1pA
         S1MFPtAvLBkGB4GfHn3E83of/bbhxkm1IhU2TAgpvRAFNIKppOIfYoS8tuDCdZeHdRst
         J4ro4m+QJRVJ+bzMz99I7aSxhnpQlYj1bifnH24vHS8/SzO3BbnfZpHF3V4x20JrjznC
         vOR4MjUPgmWuURuPY15+e9H9KL5Z3otW1C76WNVg4A61Sx1VcUjsf0vPaI48HrCSl7PY
         5BhSwBrvPszcs3+tlYt6pCgbn7aey/iKYrXNT0mekbd4jNU8O6N4scXw6ZEZaV3SBJcI
         zDSw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :message-id:date:subject:cc:to:from;
        bh=fzv3uEKI9R75mkvMhmrhyA597H5oOTjTfEKnekrNENs=;
        b=kcOpqSz6z5AHnwy6MLvr6mzYRAfvp4ROS5/R+0tIpvrI9Q1XcjkIuJdRD/pB11ppXF
         NcI05MNzUcjLezgImyp8qojyPcK6bBkL9EqsSIa9Z/qn9QUcir7WuWFdBf1+CEvysGXA
         4oNAm/AS6jLEt9yfMSr7LU5CxKQ6L3GU0QCG5ji/GIL4VPWbdStns9JbmXrS+f3TIGZP
         kBbY+S8SeUloEIn5BigfwfWL4heEdqy1/FL12b0XMqsvmrpsdECPB5GwzQTnW+uKA0el
         88wJK4J1rOcciSJNhIH4lqLyXPO+V7FTAM5OVeU5LgV6nxCILpa/o+fMrqznV/G5WMmm
         knrw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id
 sd42-20020a1709076e2a00b0078a30f54c57si591794ejc.32.2022.11.17.04.34.38;
        Thu, 17 Nov 2022 04:35:02 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S234840AbiKQMby (ORCPT <rfc822;a1648639935@gmail.com>
        + 99 others); Thu, 17 Nov 2022 07:31:54 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56016 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S239831AbiKQMbd (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 17 Nov 2022 07:31:33 -0500
Received: from mail.astralinux.ru (mail.astralinux.ru [217.74.38.119])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 092A17721A;
        Thu, 17 Nov 2022 04:30:21 -0800 (PST)
Received: from localhost (localhost [127.0.0.1])
        by mail.astralinux.ru (Postfix) with ESMTP id 8FF3518640DD;
        Thu, 17 Nov 2022 15:30:18 +0300 (MSK)
Received: from mail.astralinux.ru ([127.0.0.1])
        by localhost (rbta-msk-vsrv-mail01.astralinux.ru [127.0.0.1])
 (amavisd-new, port 10032)
        with ESMTP id 3Wyc6Ar0RLbD; Thu, 17 Nov 2022 15:30:18 +0300 (MSK)
Received: from localhost (localhost [127.0.0.1])
        by mail.astralinux.ru (Postfix) with ESMTP id 3589018640D7;
        Thu, 17 Nov 2022 15:30:18 +0300 (MSK)
X-Virus-Scanned: amavisd-new at astralinux.ru
Received: from mail.astralinux.ru ([127.0.0.1])
        by localhost (rbta-msk-vsrv-mail01.astralinux.ru [127.0.0.1])
 (amavisd-new, port 10026)
        with ESMTP id ynNIvwKRm9Iv; Thu, 17 Nov 2022 15:30:18 +0300 (MSK)
Received: from rbta-msk-lt-106062.DL (unknown [37.1.14.128])
        by mail.astralinux.ru (Postfix) with ESMTPSA id 832A71863D1F;
        Thu, 17 Nov 2022 15:30:17 +0300 (MSK)
From: Anastasia Belova <abelova@astralinux.ru>
To: Ulf Hansson <ulf.hansson@linaro.org>
Cc: Anastasia Belova <abelova@astralinux.ru>,
        Geert Uytterhoeven <geert+renesas@glider.be>,
        Jiasheng Jiang <jiasheng@iscas.ac.cn>,
        Wolfram Sang <wsa+renesas@sang-engineering.com>,
        Teppei Kamijou <teppei.kamijou.yb@renesas.com>,
        Guennadi Liakhovetski <g.liakhovetski@gmx.de>,
        Shinya Kuribayashi <shinya.kuribayashi.px@renesas.com>,
        Chris Ball <cjb@laptop.org>,
        linux-mmc@vger.kernel.org (open list:MULTIMEDIA CARD (MMC), SECURE
        DIGITAL (SD) AND...), linux-kernel@vger.kernel.org (open list),
        lvc-project@linuxtesting.org
Subject: [PATCH] mmc: sh_mmcif: Add check for NULL for host->chan_yx and
 host->chan_rx in sh_mmcif_end_cmd
Date: Thu, 17 Nov 2022 15:30:07 +0300
Message-Id: <20221117123007.13071-1-abelova@astralinux.ru>
X-Mailer: git-send-email 2.30.2
MIME-Version: 1.0
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_NONE,
        SPF_PASS autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1749746715419782008?=
X-GMAIL-MSGID: =?utf-8?q?1749746715419782008?=

Without these checks NULL-pointer may be dereferenced in
sh_mmcif_end_cmd parameters inside if (data->flags & MMC_DATA_READ).

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Fixes: eae309836509 ("mmc: sh_mmcif: Terminate DMA transactions when detecting timeout or error")
Signed-off-by: Anastasia Belova <abelova@astralinux.ru>
---
 drivers/mmc/host/sh_mmcif.c | 19 +++++++++++--------
 1 file changed, 11 insertions(+), 8 deletions(-)

diff --git a/drivers/mmc/host/sh_mmcif.c b/drivers/mmc/host/sh_mmcif.c
index 0fd4c9d644dd..f35694acafcc 100644
--- a/drivers/mmc/host/sh_mmcif.c
+++ b/drivers/mmc/host/sh_mmcif.c
@@ -1136,14 +1136,17 @@ static bool sh_mmcif_end_cmd(struct sh_mmcif_host *host)
 	time = wait_for_completion_interruptible_timeout(&host->dma_complete,
 							 host->timeout);
 
-	if (data->flags & MMC_DATA_READ)
-		dma_unmap_sg(host->chan_rx->device->dev,
-			     data->sg, data->sg_len,
-			     DMA_FROM_DEVICE);
-	else
-		dma_unmap_sg(host->chan_tx->device->dev,
-			     data->sg, data->sg_len,
-			     DMA_TO_DEVICE);
+	if (data->flags & MMC_DATA_READ) {
+		if (host->chan_rx)
+			sh_mmcif_end_cmd(host->chan_rx->device->dev,
+					data->sg, data->sg_len,
+					DMA_FROM_DEVICE);
+	} else {
+		if (host->chan_tx)
+			dma_unmap_sg(host->chan_tx->device->dev,
+					data->sg, data->sg_len,
+					DMA_TO_DEVICE);
+	}
 
 	if (host->sd_error) {
 		dev_err(host->mmc->parent,