openwrt/target/linux/bcm27xx/patches-6.6/950-1047-dw-axi-dmac-platform-Avoid-trampling-with-zero-lengt.patch
John Audia 3711557bdf kernel: bump 6.6 to 6.6.36
Changelog: https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.6.36

Manually rebased:
        generic/hack-6.6/765-mxl-gpy-control-LED-reg-from-DT.patch
        bcm27xx/patches-6.6/950-0536-dmaengine-dw-axi-dmac-Fixes-for-RP1.patch

Removed upstreamed:
	bmips/patches-6.6/010-v6.10-mips-bmips-BCM6358-make-sure-CBR-is-correctly-set.patch[1]

All other patches automatically rebased.

1. 7c9644a7b5

Build system: x86/64
Build-tested: x86/64/AMD Cezanne, flogic/xiaomi_redmi-router-ax6000-ubootmod, ramips/tplink_archer-a6-v3
Run-tested: x86/64/AMD Cezanne, flogic/xiaomi_redmi-router-ax6000-ubootmod, ramips/tplink_archer-a6-v3

Signed-off-by: John Audia <therealgraysky@proton.me>
2024-07-04 22:07:10 +02:00

35 lines
1.1 KiB
Diff

From 5b3c219b5e5bc4ecd4e0dde7688929ff14cd08b0 Mon Sep 17 00:00:00 2001
From: popcornmix <popcornmix@gmail.com>
Date: Tue, 23 Apr 2024 09:51:36 +0100
Subject: [PATCH 1047/1085] dw-axi-dmac-platform: Avoid trampling with zero
length buffer
This code:
for_each_sg(sgl, sg, sg_len, i)
num_sgs += DIV_ROUND_UP(sg_dma_len(sg), axi_block_len);
determines how many hw_desc are allocated.
If sg_dma_len(sg)=0 we don't allocate for this sgl.
However in the next loop, we will increment loop
for this case, and loop gets higher than num_sgs
and we trample memory.
Signed-off-by: Dom Cobley <popcornmix@gmail.com>
---
drivers/dma/dw-axi-dmac/dw-axi-dmac-platform.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/dma/dw-axi-dmac/dw-axi-dmac-platform.c
+++ b/drivers/dma/dw-axi-dmac/dw-axi-dmac-platform.c
@@ -917,6 +917,9 @@ dw_axi_dma_chan_prep_slave_sg(struct dma
mem = sg_dma_address(sg);
len = sg_dma_len(sg);
num_segments = DIV_ROUND_UP(sg_dma_len(sg), axi_block_len);
+ if (!num_segments)
+ continue;
+
segment_len = DIV_ROUND_UP(sg_dma_len(sg), num_segments);
do {