Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 7f1d9ff4 authored by Subramanian Ananthanarayanan's avatar Subramanian Ananthanarayanan Committed by Gauri Joshi
Browse files

msm: mhi_dev: Prevent invalid memory access during channel read 



ring_cache is NULL as channel has not yet been started, read operation
accesses ring_cache before checking if channel is in stopped state.
Adding a check in UCI layer to perform read/write transfers only
if the channel is in valid state.

Change-Id: Ic8e6ae19badf43a7f64f92349e9c2427750a98b6
Signed-off-by: default avatarSubramanian Ananthanarayanan <skananth@codeaurora.org>
Signed-off-by: default avatarGauri Joshi <gaurjosh@codeaurora.org>
parent 18e10bee

drivers/platform/msm/mhi_dev/mhi.c

+8 −7
Original line number Diff line number Diff line
@@ -2888,6 +2888,14 @@ int mhi_dev_read_channel(struct mhi_req *mreq) 
	mutex_lock(&ch->ch_lock);



	do {

		if (ch->state == MHI_DEV_CH_STOPPED) {

			mhi_log(MHI_MSG_VERBOSE,

				"channel (%d) already stopped\n",

				mreq->chan);

			bytes_read = -1;

			goto exit;

		}



		el = &ring->ring_cache[ring->rd_offset];

		mhi_log(MHI_MSG_VERBOSE, "evtptr : 0x%llx\n",

						el->tre.data_buf_ptr);
@@ -2909,13 +2917,6 @@ int mhi_dev_read_channel(struct mhi_req *mreq) 
				goto exit;

			}



			if (ch->state == MHI_DEV_CH_STOPPED) {

				mhi_log(MHI_MSG_VERBOSE,

					"channel (%d) already stopped\n",

					mreq->chan);

				bytes_read = -1;

				goto exit;

			}



			ch->tre_loc = el->tre.data_buf_ptr;

			ch->tre_size = el->tre.len;

drivers/platform/msm/mhi_dev/mhi_uci.c

+16 −1
Original line number Diff line number Diff line
@@ -935,8 +935,11 @@ static int open_client_mhi_channels(struct uci_client *uci_client) 
{

	int rc = 0;



	if (!mhi_uci_are_channels_connected(uci_client))

	if (!mhi_uci_are_channels_connected(uci_client)) {

		uci_log(UCI_DBG_ERROR, "%s:Channels are not connected\n",

			__func__);

		return -ENODEV;

	}



	uci_log(UCI_DBG_DBG,

			"Starting channels %d %d.\n",
@@ -1246,6 +1249,12 @@ static int __mhi_uci_client_read(struct uci_client *uci_handle, 
	int ret_val = 0;



	do {

		if (!mhi_uci_are_channels_connected(uci_handle)) {

			uci_log(UCI_DBG_ERROR,

				"%s:Channels are not connected\n", __func__);

			return -ENODEV;

		}



		if (!uci_handle->pkt_loc &&

			!atomic_read(&uci_ctxt.mhi_disabled)) {

			ret_val = uci_handle->read(uci_handle, bytes_avail);
@@ -1392,6 +1401,12 @@ static ssize_t mhi_uci_client_write(struct file *file, 
		return -EIO;

	}



	if (!mhi_uci_are_channels_connected(uci_handle)) {

		uci_log(UCI_DBG_ERROR, "%s:Channels are not connected\n",

			__func__);

		return -ENODEV;

	}



	if (count > TRB_MAX_DATA_SIZE) {

		uci_log(UCI_DBG_ERROR,

			"Too big write size: %lu, max supported size is %d\n",