Commit 24ebbc28 authored Nov 09, 2021 by Sai Chaitanya Kaveti Committed by Gerrit - the friendly Code Review server Jan 09, 2022

msm: mhi_dev: Added mutex lock in mhi_dev_write_channel

mhi_dev_write_channel is called by diag channel. While processing it,
reset interrupt is received from host. During the reset sequence the
work queue mhi_sm_wq is getting destroyed in mhi_dev_sm_exit API. When
the mhi_dev_write_channel is resumed, queuing of work is done as part of
mhi_dev_notify_sm_event. Here, as the work queue is destroyed, crash
occurred with a kernel null pointer deference error. This is a race
condition between reset sequence and mhi_dev_notify_sm_event.

To avoid this race condition added a mutex lock mhi_lock in
mhi_dev_write_channel before calling mhi_dev_notify_sm_event.

Change-Id: Idaf1c33c462b6d659f3e5ddb333afe9c6a967fac
Signed-off-by: Sai Chaitanya Kaveti <quic_skaveti@quicinc.com>

parent 9ac53309

drivers/platform/msm/mhi_dev/mhi.c

+3 −0

Original line number	Diff line number	Diff line
		@@ -3535,13 +3535,16 @@ int mhi_dev_write_channel(struct mhi_req *wreq)
		* Expected usage is when there is a write
		* to the MHI core -> notify SM.
		*/
		mutex_lock(&mhi_ctx->mhi_lock);
		mhi_log(MHI_MSG_CRITICAL, "Wakeup by chan:%d\n", ch->ch_id);
		rc = mhi_dev_notify_sm_event(MHI_DEV_EVENT_CORE_WAKEUP);
		if (rc) {
		pr_err("error sending core wakeup event\n");
		mutex_unlock(&mhi_ctx->mhi_lock);
		mutex_unlock(&mhi_ctx->mhi_write_test);
		return rc;
		}
		mutex_unlock(&mhi_ctx->mhi_lock);
		}

		while (atomic_read(&mhi_ctx->is_suspended) &&