Skip to content

Commit

Permalink
bus: mhi: core: Validate channel ID when processing command completions
Browse files Browse the repository at this point in the history
commit 546362a upstream.

MHI reads the channel ID from the event ring element sent by the
device which can be any value between 0 and 255. In order to
prevent any out of bound accesses, add a check against the maximum
number of channels supported by the controller and those channels
not configured yet so as to skip processing of that event ring
element.

Link: https://lore.kernel.org/r/[email protected]
Fixes: 1d3173a ("bus: mhi: core: Add support for processing events from client device")
Cc: [email protected] #5.10
Reviewed-by: Hemant Kumar <[email protected]>
Reviewed-by: Manivannan Sadhasivam <[email protected]>
Reviewed-by: Jeffrey Hugo <[email protected]>
Signed-off-by: Bhaumik Bhatt <[email protected]>
Signed-off-by: Manivannan Sadhasivam <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Greg Kroah-Hartman <[email protected]>
  • Loading branch information
Bhaumik Bhatt authored and gregkh committed Jul 28, 2021
1 parent a882706 commit aed4f5b
Showing 1 changed file with 12 additions and 5 deletions.
17 changes: 12 additions & 5 deletions drivers/bus/mhi/core/main.c
Original file line number Diff line number Diff line change
Expand Up @@ -773,11 +773,18 @@ static void mhi_process_cmd_completion(struct mhi_controller *mhi_cntrl,
cmd_pkt = mhi_to_virtual(mhi_ring, ptr);

chan = MHI_TRE_GET_CMD_CHID(cmd_pkt);
mhi_chan = &mhi_cntrl->mhi_chan[chan];
write_lock_bh(&mhi_chan->lock);
mhi_chan->ccs = MHI_TRE_GET_EV_CODE(tre);
complete(&mhi_chan->completion);
write_unlock_bh(&mhi_chan->lock);

if (chan < mhi_cntrl->max_chan &&
mhi_cntrl->mhi_chan[chan].configured) {
mhi_chan = &mhi_cntrl->mhi_chan[chan];
write_lock_bh(&mhi_chan->lock);
mhi_chan->ccs = MHI_TRE_GET_EV_CODE(tre);
complete(&mhi_chan->completion);
write_unlock_bh(&mhi_chan->lock);
} else {
dev_err(&mhi_cntrl->mhi_dev->dev,
"Completion packet for invalid channel ID: %d\n", chan);
}

mhi_del_ring_element(mhi_cntrl, mhi_ring);
}
Expand Down

0 comments on commit aed4f5b

Please sign in to comment.