Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit f5877ca1 authored by Andrei Danaila's avatar Andrei Danaila
Browse files

mhi: uci: Fix race conditon in mhi_poll_inbound 



A race condition exists in MHI_UCI whereby a client could receive
a buffer, inconsistent with the return code from MHI.

Change-Id: I4a932ea608ce967c1588f092c60d03747bad2064
Signed-off-by: default avatarAndrei Danaila <adanaila@codeaurora.org>
parent fd8c19f7

drivers/platform/msm/mhi/mhi_main.c

+12 −10
Original line number Diff line number Diff line
@@ -1302,20 +1302,22 @@ int mhi_poll_inbound(struct mhi_client_handle *client_handle, 
					(union mhi_xfer_pkt *)pending_trb);

		result->flags = pending_trb->info;

		result->transaction_status = MHI_STATUS_SUCCESS;

	} else {

		result->payload_buf = 0;

		result->bytes_xferd = 0;

		result->transaction_status = MHI_STATUS_SUCCESS;

	}

	ret_val = delete_element(local_chan_ctxt, &local_chan_ctxt->ack_rp,

		ret_val = delete_element(local_chan_ctxt,

					&local_chan_ctxt->ack_rp,

					&local_chan_ctxt->rp, NULL);

		if (ret_val != MHI_STATUS_SUCCESS) {

			mhi_log(MHI_MSG_ERROR,

			"Failed to remove from inbound ring ret %d chan %d\n",

				"Internal Failure, inconsistent ring state, ret %d chan %d\n",

				ret_val, chan);

			result->payload_buf = 0;

			result->bytes_xferd = 0;

			result->transaction_status = MHI_STATUS_ERROR;

		}

	} else {

		result->payload_buf = 0;

		result->bytes_xferd = 0;

		result->transaction_status = MHI_STATUS_SUCCESS;

		ret_val = MHI_STATUS_RING_EMPTY;

	}

	mutex_unlock(chan_mutex);

	return ret_val;