From 5b3c219b5e5bc4ecd4e0dde7688929ff14cd08b0 Mon Sep 17 00:00:00 2001 From: popcornmix Date: Tue, 23 Apr 2024 09:51:36 +0100 Subject: [PATCH 1047/1085] dw-axi-dmac-platform: Avoid trampling with zero length buffer This code: for_each_sg(sgl, sg, sg_len, i) num_sgs += DIV_ROUND_UP(sg_dma_len(sg), axi_block_len); determines how many hw_desc are allocated. If sg_dma_len(sg)=0 we don't allocate for this sgl. However in the next loop, we will increment loop for this case, and loop gets higher than num_sgs and we trample memory. Signed-off-by: Dom Cobley --- drivers/dma/dw-axi-dmac/dw-axi-dmac-platform.c | 3 +++ 1 file changed, 3 insertions(+) --- a/drivers/dma/dw-axi-dmac/dw-axi-dmac-platform.c +++ b/drivers/dma/dw-axi-dmac/dw-axi-dmac-platform.c @@ -917,6 +917,9 @@ dw_axi_dma_chan_prep_slave_sg(struct dma mem = sg_dma_address(sg); len = sg_dma_len(sg); num_segments = DIV_ROUND_UP(sg_dma_len(sg), axi_block_len); + if (!num_segments) + continue; + segment_len = DIV_ROUND_UP(sg_dma_len(sg), num_segments); do {