Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 729858b4 authored by Siddartha Mohanadoss's avatar Siddartha Mohanadoss
Browse files

msm: mhi_dev: Fix invalid client access 



Check if handle passed from clients is valid before dereference.

Change-Id: I68a1a826f7b85a7e24f2cb75916c50e6788536e9
Signed-off-by: default avatarSiddartha Mohanadoss <smohanad@codeaurora.org>
parent 222949dc

drivers/platform/msm/mhi_dev/mhi.c

+11 −0
Original line number Diff line number Diff line
@@ -2282,6 +2282,7 @@ int mhi_dev_open_channel(uint32_t chan_id, 
	ch->ereqs = NULL;

free_client:

	kfree(*handle_client);

	*handle_client = NULL;

exit:

	mutex_unlock(&ch->ch_lock);

	return rc;
@@ -2293,6 +2294,11 @@ int mhi_dev_channel_isempty(struct mhi_dev_client *handle) 
	struct mhi_dev_channel *ch;

	int rc;



	if (!handle) {

		mhi_log(MHI_MSG_ERROR, "Invalid channel access\n");

		return -EINVAL;

	}



	ch = handle->channel;

	if (!ch)

		return -EINVAL;
@@ -2308,6 +2314,11 @@ int mhi_dev_close_channel(struct mhi_dev_client *handle) 
	struct mhi_dev_channel *ch;

	int rc = 0;



	if (!handle) {

		mhi_log(MHI_MSG_ERROR, "Invalid channel access\n");

		return -EINVAL;

	}



	ch = handle->channel;



	mutex_lock(&ch->ch_lock);

drivers/platform/msm/mhi_dev/mhi_uci.c

+22 −4
Original line number Diff line number Diff line
@@ -914,9 +914,14 @@ static int mhi_uci_client_open(struct inode *mhi_inode, 
				"Opening channels client %d\n",

				iminor(mhi_inode));

			rc = open_client_mhi_channels(uci_handle);

			if (rc) {

			if (rc < 0) {

				uci_log(UCI_DBG_INFO,

					"Failed to open channels ret %d\n", rc);

				if (atomic_sub_return(1, &uci_handle->ref_count)

									== 0) {

					uci_log(UCI_DBG_INFO,

						"Closing failed channel\n");

				}

				return rc;

			}

		}
@@ -1148,7 +1153,16 @@ static ssize_t mhi_uci_client_read(struct file *file, char __user *ubuf, 
	ssize_t bytes_copied = 0;

	u32 addr_offset = 0;



	if (!file || !ubuf || !file->private_data) {

		uci_log(UCI_DBG_DBG, "Invalid access to read\n");

		return -EINVAL;

	}



	uci_handle = file->private_data;

	if (!uci_handle->read || !uci_handle->in_handle) {

		uci_log(UCI_DBG_DBG, "Invalid inhandle or read\n");

		return -EINVAL;

	}

	mutex = &uci_handle->in_chan_lock;

	mutex_lock(mutex);
@@ -1216,12 +1230,16 @@ static ssize_t mhi_uci_client_write(struct file *file, 
	unsigned long memcpy_result;

	int rc;



	if (file == NULL || buf == NULL ||

		!count || file->private_data == NULL)

	if (!file || !buf || !count || !file->private_data) {

		uci_log(UCI_DBG_DBG, "Invalid access to write\n");

		return -EINVAL;

	}



	uci_handle = file->private_data;



	if (!uci_handle->send || !uci_handle->out_handle) {

		uci_log(UCI_DBG_DBG, "Invalid handle or send\n");

		return -EINVAL;

	}

	if (atomic_read(&uci_ctxt.mhi_disabled)) {

		uci_log(UCI_DBG_ERROR,

			"Client %d attempted to write while MHI is disabled\n",