Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit eb29f2d7 authored by Veerabhadrarao Badiganti's avatar Veerabhadrarao Badiganti
Browse files

msm: mhi_dev: Ensure event buffer size reflects the right size 



We are setting event buffer size with the requested size and then
allocating the buffer for event requests (ereqs). But if the memory
allocation for ereq buffer fails, the event-buffer-size variable
is not getting set to zero.

Due to this, if a client calls open channel multiple times,
our logic proceeded without really allocating the buffer for ereqs.
And while processing completion events, we are observing null pointer
dereference issues.

Change-Id: I10bee8428d178ef5a7f0fe5fcd93fcce8dcbe27d
Signed-off-by: default avatarVeerabhadrarao Badiganti <quic_vbadigan@quicinc.com>
parent 3c9afc13

drivers/platform/msm/mhi_dev/mhi.c

+9 −2
Original line number Diff line number Diff line
@@ -3098,13 +3098,20 @@ static int mhi_dev_alloc_evt_buf_evt_req(struct mhi_dev *mhi, 


	/* Allocate event requests */

	ch->ereqs = kcalloc(ch->evt_req_size, sizeof(*ch->ereqs), GFP_KERNEL);

	if (!ch->ereqs)

		return -ENOMEM;

	if (!ch->ereqs) {

		mhi_log(MHI_MSG_ERROR,

			"Failed to alloc ereqs for Channel %d\n", ch->ch_id);

		rc = -ENOMEM;

		goto free_ereqs;

	}



	/* Allocate buffers to queue transfer completion events */

	ch->tr_events = kcalloc(ch->evt_buf_size, sizeof(*ch->tr_events),

			GFP_KERNEL);

	if (!ch->tr_events) {

		mhi_log(MHI_MSG_ERROR,

			"Failed to alloc tr_events buffer for Channel %d\n",

			ch->ch_id);

		rc = -ENOMEM;

		goto free_ereqs;

	}

drivers/platform/msm/mhi_dev/mhi_uci.c

+3 −3
Original line number Diff line number Diff line
@@ -651,7 +651,7 @@ static int mhi_uci_send_async(struct uci_client *uci_handle, 
	int bytes_to_write;

	struct mhi_req *ureq;



	uci_log(UCI_DBG_VERBOSE,

	uci_log(UCI_DBG_DBG,

		"Async write for ch %d size %d\n",

		uci_handle->out_chan, size);
@@ -865,7 +865,7 @@ static int mhi_uci_read_async(struct uci_client *uci_handle, int *bytes_avail) 
	struct mhi_req *ureq;

	struct mhi_dev_client *client_handle;



	uci_log(UCI_DBG_ERROR,

	uci_log(UCI_DBG_DBG,

		"Async read for ch %d\n", uci_handle->in_chan);



	ureq = mhi_uci_get_req(uci_handle);
@@ -1031,7 +1031,7 @@ static int open_client_mhi_channels(struct uci_client *uci_client) 
			uci_ctxt.event_notifier);

	if (rc < 0) {

		uci_log(UCI_DBG_ERROR,

			"Failed to open chan %d, ret 0x%x\n",

			"Failed to open chan %d, ret %d\n",

			uci_client->out_chan, rc);

		goto handle_in_err;

	}