diff mbox series

Fix potential NULL pointer error in sdhci_calc_sw_timeout

Message ID 20220708070353.32624-1-cw9316.lee@samsung.com
State New
Headers show
Series Fix potential NULL pointer error in sdhci_calc_sw_timeout | expand

Commit Message

Chanwoo Lee July 8, 2022, 7:03 a.m. UTC
From: ChanWoo Lee <cw9316.lee@samsung.com>

In sdhci_cqe_enable(), a NULL value is used as an argument.

* sdhci_set_timeout(host, NULL);
 -> __sdhci_set_timeout(host, cmd);
    -> sdhci_calc_sw_timeout(host,cmd)

The current code doesn't have any problems with the 'too_big' variable.
-------------------------------------------------------------------------
void __sdhci_set_timeout(struct sdhci_host *host, struct mmc_command *cmd)
{
        bool too_big = false;
        u8 count = sdhci_calc_timeout(host, cmd, &too_big);

        if (too_big &&
            host->quirks2 & SDHCI_QUIRK2_DISABLE_HW_TIMEOUT) {
                sdhci_calc_sw_timeout(host, cmd);
}
------------------------------------------------------------------------

However, if the code related to the 'too_big' variable changes
a null value may be used in the sdhci_calc_sw_timeout function.

To remove this dependency, add code to check 'cmd' once more.

Signed-off-by: ChanWoo Lee <cw9316.lee@samsung.com>
---
 drivers/mmc/host/sdhci.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Krzysztof Kozlowski July 13, 2022, 7:45 a.m. UTC | #1
On 08/07/2022 09:03, Chanwoo Lee wrote:
> From: ChanWoo Lee <cw9316.lee@samsung.com>

Use subsystem prefix in the subject. git log --oneline --

> 
> In sdhci_cqe_enable(), a NULL value is used as an argument.
> 
> * sdhci_set_timeout(host, NULL);
>  -> __sdhci_set_timeout(host, cmd);
>     -> sdhci_calc_sw_timeout(host,cmd)
> 
> The current code doesn't have any problems with the 'too_big' variable.
> -------------------------------------------------------------------------
> void __sdhci_set_timeout(struct sdhci_host *host, struct mmc_command *cmd)
> {
>         bool too_big = false;
>         u8 count = sdhci_calc_timeout(host, cmd, &too_big);
> 
>         if (too_big &&
>             host->quirks2 & SDHCI_QUIRK2_DISABLE_HW_TIMEOUT) {
>                 sdhci_calc_sw_timeout(host, cmd);
> }
> ------------------------------------------------------------------------
> 
> However, if the code related to the 'too_big' variable changes
> a null value may be used in the sdhci_calc_sw_timeout function.

I don't get this part. Did you mean, that if someone changes the source
code, there will be null pointer? Then the subject is not accurate.
"Potential NULL ptr" means that it can happen now, in some conditions.
diff mbox series

Patch

diff --git a/drivers/mmc/host/sdhci.c b/drivers/mmc/host/sdhci.c
index 7689ffec5ad1..e5a840097308 100644
--- a/drivers/mmc/host/sdhci.c
+++ b/drivers/mmc/host/sdhci.c
@@ -1029,7 +1029,7 @@  void __sdhci_set_timeout(struct sdhci_host *host, struct mmc_command *cmd)
 	bool too_big = false;
 	u8 count = sdhci_calc_timeout(host, cmd, &too_big);
 
-	if (too_big &&
+	if (too_big && cmd &&
 	    host->quirks2 & SDHCI_QUIRK2_DISABLE_HW_TIMEOUT) {
 		sdhci_calc_sw_timeout(host, cmd);
 		sdhci_set_data_timeout_irq(host, false);