Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 68c7250a authored Jul 07, 2017 by David Dai

msm: msm_bus: Include init_time flag during handoff locking



Toggling of init_time flag during another client's request
can cause incorrect counting of active command sets and
an incorrect index used to set the commit bit. This may
result in out of bound accesses.

Change-Id: I00525f37367edccf021189dfdb7fae34c9a1eea5
Signed-off-by: David Dai <daidavid1@codeaurora.org>

parent 6da25f22

drivers/soc/qcom/msm_bus/msm_bus_arb_rpmh.c

+7 −2

Original line number	Diff line number	Diff line
		@@ -854,10 +854,15 @@ static void commit_data(void)
		INIT_LIST_HEAD(&commit_list);
		}

		int commit_late_init_data(void)
		int commit_late_init_data(bool lock)
		{
		int rc;

		if (lock) {
		rt_mutex_lock(&msm_bus_adhoc_lock);
		return 0;
		}

		rc = bus_for_each_dev(&msm_bus_type, NULL, NULL,
		bcm_remove_handoff_req);

drivers/soc/qcom/msm_bus/msm_bus_fabric_rpmh.c

+2 −1

Original line number	Diff line number	Diff line
		@@ -1807,9 +1807,10 @@ int __init msm_bus_device_init_driver(void)

		int __init msm_bus_device_late_init(void)
		{
		commit_late_init_data(true);
		MSM_BUS_ERR("msm_bus_late_init: Remove handoff bw requests\n");
		init_time = false;
		return commit_late_init_data();
		return commit_late_init_data(false);
		}
		subsys_initcall(msm_bus_device_init_driver);
		late_initcall_sync(msm_bus_device_late_init);

drivers/soc/qcom/msm_bus/msm_bus_rpmh.h

+1 −1

Original line number	Diff line number	Diff line
		@@ -224,7 +224,7 @@ int msm_bus_enable_limiter(struct msm_bus_node_device_type *nodedev,
		int throttle_en, uint64_t lim_bw);
		int msm_bus_commit_data(struct list_head *clist);
		int bcm_remove_handoff_req(struct device dev, void data);
		int commit_late_init_data(void);
		int commit_late_init_data(bool lock);
		int msm_bus_query_gen(struct list_head *qlist,
		struct msm_bus_tcs_usecase *tcs_usecase);
		void msm_bus_realloc_devmem(struct device dev, void *p, size_t old_size,