For RPMB, block count is a non-zero 16 bit wide number. Reject invalid values from userspace instead of just masking the unneeded bits. Tested with a modified 'mmc-utils' package.
Signed-off-by: Wolfram Sang <[email protected]> --- drivers/mmc/core/block.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/mmc/core/block.c b/drivers/mmc/core/block.c index c35b5b08bb33..9e0f7e4aa8c6 100644 --- a/drivers/mmc/core/block.c +++ b/drivers/mmc/core/block.c @@ -550,6 +550,9 @@ static int __mmc_blk_ioctl_cmd(struct mmc_card *card, struct mmc_blk_data *md, } if (idata->rpmb) { + if (data.blocks > 65535 || !data.blocks) + return -EINVAL; + err = mmc_set_blockcount(card, data.blocks, idata->ic.write_flag & (1 << 31)); if (err) -- 2.11.0
