Commit 923dff87 authored by Shawn Lin's avatar Shawn Lin Committed by Ulf Hansson
Browse files

mmc: sdio: deploy error handling instead of triggering BUG_ON 



When using mmc_io_rw_extended, it's intent to avoid null
pointer of card and invalid func number. But actually it
didn't prevent that as the seg_size already use the card.
Currently the wrapper function sdio_io_rw_ext_helper already
use card before calling mmc_io_rw_extended, so we should move
this check to there. As to the func number, it was token from
'(ocr & 0x70000000) >> 28' which should be enough to guarantee
that it won't be larger than 7. But we should prevent the
caller like wifi drivers modify this value. So let's move this
check into sdio_io_rw_ext_helper either.

Also we remove the BUG_ON for mmc_send_io_op_cond since all
possible paths calling this function are protected by checking
the arguments in advance. After deploying these changes, we
could not see any panic within SDIO API even if func drivers
abuse the SDIO func APIs.

Signed-off-by: default avatarShawn Lin <shawn.lin@rock-chips.com>
Signed-off-by: default avatarUlf Hansson <ulf.hansson@linaro.org>
parent 96e52daa

drivers/mmc/core/sdio_io.c

+31 −16
Original line number Diff line number Diff line
@@ -26,8 +26,8 @@ 
 */

void sdio_claim_host(struct sdio_func *func)

{

	BUG_ON(!func);

	BUG_ON(!func->card);

	if (WARN_ON(!func))

		return;



	mmc_claim_host(func->card->host);

}
@@ -42,8 +42,8 @@ EXPORT_SYMBOL_GPL(sdio_claim_host); 
 */

void sdio_release_host(struct sdio_func *func)

{

	BUG_ON(!func);

	BUG_ON(!func->card);

	if (WARN_ON(!func))

		return;



	mmc_release_host(func->card->host);

}
@@ -62,8 +62,8 @@ int sdio_enable_func(struct sdio_func *func) 
	unsigned char reg;

	unsigned long timeout;



	BUG_ON(!func);

	BUG_ON(!func->card);

	if (!func)

		return -EINVAL;



	pr_debug("SDIO: Enabling device %s...\n", sdio_func_id(func));
@@ -112,8 +112,8 @@ int sdio_disable_func(struct sdio_func *func) 
	int ret;

	unsigned char reg;



	BUG_ON(!func);

	BUG_ON(!func->card);

	if (!func)

		return -EINVAL;



	pr_debug("SDIO: Disabling device %s...\n", sdio_func_id(func));
@@ -307,6 +307,9 @@ static int sdio_io_rw_ext_helper(struct sdio_func *func, int write, 
	unsigned max_blocks;

	int ret;



	if (!func || (func->num > 7))

		return -EINVAL;



	/* Do the bulk of the transfer using block mode (if supported). */

	if (func->card->cccr.multi_block && (size > sdio_max_byte_size(func))) {

		/* Blocks per command is limited by host count, host transfer
@@ -367,7 +370,10 @@ u8 sdio_readb(struct sdio_func *func, unsigned int addr, int *err_ret) 
	int ret;

	u8 val;



	BUG_ON(!func);

	if (!func) {

		*err_ret = -EINVAL;

		return 0xFF;

	}



	if (err_ret)

		*err_ret = 0;
@@ -398,7 +404,10 @@ void sdio_writeb(struct sdio_func *func, u8 b, unsigned int addr, int *err_ret) 
{

	int ret;



	BUG_ON(!func);

	if (!func) {

		*err_ret = -EINVAL;

		return;

	}



	ret = mmc_io_rw_direct(func->card, 1, func->num, addr, b, NULL);

	if (err_ret)
@@ -623,7 +632,10 @@ unsigned char sdio_f0_readb(struct sdio_func *func, unsigned int addr, 
	int ret;

	unsigned char val;



	BUG_ON(!func);

	if (!func) {

		*err_ret = -EINVAL;

		return 0xFF;

	}



	if (err_ret)

		*err_ret = 0;
@@ -658,7 +670,10 @@ void sdio_f0_writeb(struct sdio_func *func, unsigned char b, unsigned int addr, 
{

	int ret;



	BUG_ON(!func);

	if (!func) {

		*err_ret = -EINVAL;

		return;

	}



	if ((addr < 0xF0 || addr > 0xFF) && (!mmc_card_lenient_fn0(func->card))) {

		if (err_ret)
@@ -684,8 +699,8 @@ EXPORT_SYMBOL_GPL(sdio_f0_writeb); 
 */

mmc_pm_flag_t sdio_get_host_pm_caps(struct sdio_func *func)

{

	BUG_ON(!func);

	BUG_ON(!func->card);

	if (!func)

		return 0;



	return func->card->host->pm_caps;

}
@@ -707,8 +722,8 @@ int sdio_set_host_pm_flags(struct sdio_func *func, mmc_pm_flag_t flags) 
{

	struct mmc_host *host;



	BUG_ON(!func);

	BUG_ON(!func->card);

	if (!func)

		return -EINVAL;



	host = func->card->host;

drivers/mmc/core/sdio_ops.c

+2 −7
Original line number Diff line number Diff line
@@ -24,8 +24,6 @@ int mmc_send_io_op_cond(struct mmc_host *host, u32 ocr, u32 *rocr) 
	struct mmc_command cmd = {0};

	int i, err = 0;



	BUG_ON(!host);



	cmd.opcode = SD_IO_SEND_OP_COND;

	cmd.arg = ocr;

	cmd.flags = MMC_RSP_SPI_R4 | MMC_RSP_R4 | MMC_CMD_BCR;
@@ -71,8 +69,8 @@ static int mmc_io_rw_direct_host(struct mmc_host *host, int write, unsigned fn, 
	struct mmc_command cmd = {0};

	int err;



	BUG_ON(!host);

	BUG_ON(fn > 7);

	if (fn > 7)

		return -EINVAL;



	/* sanity check */

	if (addr & ~0x1FFFF)
@@ -114,7 +112,6 @@ static int mmc_io_rw_direct_host(struct mmc_host *host, int write, unsigned fn, 
int mmc_io_rw_direct(struct mmc_card *card, int write, unsigned fn,

	unsigned addr, u8 in, u8 *out)

{

	BUG_ON(!card);

	return mmc_io_rw_direct_host(card->host, write, fn, addr, in, out);

}
@@ -129,8 +126,6 @@ int mmc_io_rw_extended(struct mmc_card *card, int write, unsigned fn, 
	unsigned int nents, left_size, i;

	unsigned int seg_size = card->host->max_seg_size;



	BUG_ON(!card);

	BUG_ON(fn > 7);

	WARN_ON(blksz == 0);



	/* sanity check */

CRA Git | Maintained and supported by SUSTech CRA and CCSE