Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 61fc79fb authored by Sujeev Dias's avatar Sujeev Dias Committed by Gerrit - the friendly Code Review server
Browse files

mhi: core: fix null pointer dereference during channel reset 



During MHI device destroy, MHI host does a channel reset.
As part of channel reset, MHI device drivers requires
access to mhi device pointer associated with current channel.
Defer setting mhi device to null until channel reset is complete.

CRs-Fixed: 2237717
Change-Id: Ic3fb99e17c01c305fb521cc9fe59e7a1da7cc592
Signed-off-by: default avatarSujeev Dias <sdias@codeaurora.org>
parent 2294dae7

drivers/bus/mhi/core/mhi_init.c

+3 −0
Original line number Diff line number Diff line
@@ -1242,6 +1242,9 @@ static int mhi_driver_remove(struct device *dev) 
		    !mhi_chan->offload_ch)

			mhi_deinit_chan_ctxt(mhi_cntrl, mhi_chan);



		/* remove associated device */

		mhi_chan->mhi_dev = NULL;



		mutex_unlock(&mhi_chan->mutex);

	}

drivers/bus/mhi/core/mhi_main.c

+0 −16
Original line number Diff line number Diff line
@@ -461,32 +461,16 @@ int mhi_queue_buf(struct mhi_device *mhi_dev, 
int mhi_destroy_device(struct device *dev, void *data)

{

	struct mhi_device *mhi_dev;

	struct mhi_driver *mhi_drv;

	struct mhi_controller *mhi_cntrl;

	struct mhi_chan *mhi_chan;

	int dir;



	if (dev->bus != &mhi_bus_type)

		return 0;



	mhi_dev = to_mhi_device(dev);

	mhi_drv = to_mhi_driver(dev->driver);

	mhi_cntrl = mhi_dev->mhi_cntrl;



	MHI_LOG("destroy device for chan:%s\n", mhi_dev->chan_name);



	for (dir = 0; dir < 2; dir++) {

		mhi_chan = dir ? mhi_dev->ul_chan : mhi_dev->dl_chan;



		if (!mhi_chan)

			continue;



		/* remove device associated with the channel */

		mutex_lock(&mhi_chan->mutex);

		mhi_chan->mhi_dev = NULL;

		mutex_unlock(&mhi_chan->mutex);

	}



	/* notify the client and remove the device from mhi bus */

	device_del(dev);

	put_device(dev);