Message ID | 1588042766-17496-3-git-send-email-bbhatt@codeaurora.org (mailing list archive) |
---|---|
State | Superseded |
Headers | show |
Series | Bug fixes and improved logging in MHI | expand |
On 4/27/2020 8:59 PM, Bhaumik Bhatt wrote: > From: Hemant Kumar <hemantk@codeaurora.org> > > MHI data completion handler function reads channel id from event > ring element. Value is under the control of MHI devices and can be > any value between 0 and 255. In order to prevent out of bound access > add a bound check against the max channel supported by controller > and skip processing of that event ring element. > > Signed-off-by: Hemant Kumar <hemantk@codeaurora.org> > Signed-off-by: Bhaumik Bhatt <bbhatt@codeaurora.org> > --- > drivers/bus/mhi/core/main.c | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/drivers/bus/mhi/core/main.c b/drivers/bus/mhi/core/main.c > index 23154f1..1ccd4cc 100644 > --- a/drivers/bus/mhi/core/main.c > +++ b/drivers/bus/mhi/core/main.c > @@ -827,6 +827,9 @@ int mhi_process_data_event_ring(struct mhi_controller *mhi_cntrl, > enum mhi_pkt_type type = MHI_TRE_GET_EV_TYPE(local_rp); > > chan = MHI_TRE_GET_EV_CHID(local_rp); > + if (WARN_ON(chan >= mhi_cntrl->max_chan)) > + goto next_event; > + > mhi_chan = &mhi_cntrl->mhi_chan[chan]; > > if (likely(type == MHI_PKT_TYPE_TX_EVENT)) { > @@ -837,6 +840,7 @@ int mhi_process_data_event_ring(struct mhi_controller *mhi_cntrl, > event_quota--; > } > > +next_event: > mhi_recycle_ev_ring_element(mhi_cntrl, ev_ring); > local_rp = ev_ring->rp; > dev_rp = mhi_to_virtual(ev_ring, er_ctxt->rp); > It looks like the same issue exists in mhi_process_ctrl_ev_ring(), and thus some form of this solution needs to be applied there as well. Would you please fix that too?
Hi Jeff On 4/28/20 7:44 AM, Jeffrey Hugo wrote: > On 4/27/2020 8:59 PM, Bhaumik Bhatt wrote: >> From: Hemant Kumar <hemantk@codeaurora.org> >> >> MHI data completion handler function reads channel id from event >> ring element. Value is under the control of MHI devices and can be >> any value between 0 and 255. In order to prevent out of bound access >> add a bound check against the max channel supported by controller >> and skip processing of that event ring element. >> >> Signed-off-by: Hemant Kumar <hemantk@codeaurora.org> >> Signed-off-by: Bhaumik Bhatt <bbhatt@codeaurora.org> >> --- >> drivers/bus/mhi/core/main.c | 4 ++++ >> 1 file changed, 4 insertions(+) >> >> diff --git a/drivers/bus/mhi/core/main.c b/drivers/bus/mhi/core/main.c >> index 23154f1..1ccd4cc 100644 >> --- a/drivers/bus/mhi/core/main.c >> +++ b/drivers/bus/mhi/core/main.c >> @@ -827,6 +827,9 @@ int mhi_process_data_event_ring(struct >> mhi_controller *mhi_cntrl, >> enum mhi_pkt_type type = MHI_TRE_GET_EV_TYPE(local_rp); >> chan = MHI_TRE_GET_EV_CHID(local_rp); >> + if (WARN_ON(chan >= mhi_cntrl->max_chan)) >> + goto next_event; >> + >> mhi_chan = &mhi_cntrl->mhi_chan[chan]; >> if (likely(type == MHI_PKT_TYPE_TX_EVENT)) { >> @@ -837,6 +840,7 @@ int mhi_process_data_event_ring(struct >> mhi_controller *mhi_cntrl, >> event_quota--; >> } >> +next_event: >> mhi_recycle_ev_ring_element(mhi_cntrl, ev_ring); >> local_rp = ev_ring->rp; >> dev_rp = mhi_to_virtual(ev_ring, er_ctxt->rp); >> > > It looks like the same issue exists in mhi_process_ctrl_ev_ring(), and > thus some form of this solution needs to be applied there as well. Would > you please fix that too? > As discussed with you off line, spec allows to have just event ring to be used for both data and control. Updating this in V3.
diff --git a/drivers/bus/mhi/core/main.c b/drivers/bus/mhi/core/main.c index 23154f1..1ccd4cc 100644 --- a/drivers/bus/mhi/core/main.c +++ b/drivers/bus/mhi/core/main.c @@ -827,6 +827,9 @@ int mhi_process_data_event_ring(struct mhi_controller *mhi_cntrl, enum mhi_pkt_type type = MHI_TRE_GET_EV_TYPE(local_rp); chan = MHI_TRE_GET_EV_CHID(local_rp); + if (WARN_ON(chan >= mhi_cntrl->max_chan)) + goto next_event; + mhi_chan = &mhi_cntrl->mhi_chan[chan]; if (likely(type == MHI_PKT_TYPE_TX_EVENT)) { @@ -837,6 +840,7 @@ int mhi_process_data_event_ring(struct mhi_controller *mhi_cntrl, event_quota--; } +next_event: mhi_recycle_ev_ring_element(mhi_cntrl, ev_ring); local_rp = ev_ring->rp; dev_rp = mhi_to_virtual(ev_ring, er_ctxt->rp);