Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 020b270b authored Aug 19, 2021 by Vivek Pernamitta

mhi: core: Avoid race condition mhi channel prepare and M0 event



There is one race condition where mhi_prepare_channel is called
in which read pointer and write pointer is set to base address
and in parallel there could be an MHI M0 transaction which
checks any pending event rings on all channels (tre_ring)
with RP != WP and rings channel DB which causes Null pointer
access. Check for MHI channel is enabled before ringing channel
doorbell. Reset mhi channel chan_ctxt, tre_ring and buf_ring
wp and rp to NULL in mhi_deinit_chan_ctxt.

Change-Id: If30908fc7fcc26f6987bd0da886bb75468a29b9e
Signed-off-by: Vivek Pernamitta <vpernami@codeaurora.org>

parent 8bfcb5a6

drivers/bus/mhi/core/mhi_init.c

+9 −0

Original line number	Diff line number	Diff line
		@@ -1051,7 +1051,16 @@ void mhi_deinit_chan_ctxt(struct mhi_controller *mhi_cntrl,
		vfree(buf_ring->base);

		buf_ring->base = tre_ring->base = NULL;
		tre_ring->ctxt_wp = NULL;
		chan_ctxt->rbase = 0;
		chan_ctxt->rlen = 0;
		chan_ctxt->rp = chan_ctxt->wp = chan_ctxt->rbase;
		tre_ring->rp = tre_ring->wp = tre_ring->base;
		buf_ring->rp = buf_ring->wp = buf_ring->base;

		/* Update to all cores */
		smp_wmb();

		}

		int mhi_init_chan_ctxt(struct mhi_controller *mhi_cntrl,

drivers/bus/mhi/core/mhi_pm.c

+2 −1

Original line number	Diff line number	Diff line
		@@ -395,7 +395,8 @@ int mhi_pm_m0_transition(struct mhi_controller *mhi_cntrl)

		read_lock_irq(&mhi_chan->lock);
		/* only ring DB if ring is not empty */
		if (tre_ring->base && tre_ring->wp != tre_ring->rp)
		if (tre_ring->base && tre_ring->wp != tre_ring->rp &&
		mhi_chan->ch_state == MHI_CH_STATE_ENABLED)
		mhi_ring_chan_db(mhi_cntrl, mhi_chan);
		read_unlock_irq(&mhi_chan->lock);
		}