Commit 02096068 authored by Hemant Kumar's avatar Hemant Kumar Committed by Greg Kroah-Hartman
Browse files

bus: mhi: core: Add range check for channel id received in event ring 



MHI data completion handler function reads channel id from event
ring element. Value is under the control of MHI devices and can be
any value between 0 and 255. In order to prevent out of bound access
add a bound check against the max channel supported by controller
and skip processing of that event ring element.

Signed-off-by: default avatarHemant Kumar <hemantk@codeaurora.org>
Signed-off-by: default avatarBhaumik Bhatt <bbhatt@codeaurora.org>
Reviewed-by: default avatarJeffrey Hugo <jhugo@codeaurora.org>
Reviewed-by: default avatarManivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
Signed-off-by: default avatarManivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
Link: https://lore.kernel.org/r/20200521170249.21795-4-manivannan.sadhasivam@linaro.org


Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent 44d4e063

drivers/bus/mhi/core/main.c

+29 −11
Original line number Diff line number Diff line
@@ -775,9 +775,18 @@ int mhi_process_ctrl_ev_ring(struct mhi_controller *mhi_cntrl, 
		}

		case MHI_PKT_TYPE_TX_EVENT:

			chan = MHI_TRE_GET_EV_CHID(local_rp);



			WARN_ON(chan >= mhi_cntrl->max_chan);



			/*

			 * Only process the event ring elements whose channel

			 * ID is within the maximum supported range.

			 */

			if (chan < mhi_cntrl->max_chan) {

				mhi_chan = &mhi_cntrl->mhi_chan[chan];

				parse_xfer_event(mhi_cntrl, local_rp, mhi_chan);

				event_quota--;

			}

			break;

		default:

			dev_err(dev, "Unhandled event type: %d\n", type);
@@ -820,6 +829,14 @@ int mhi_process_data_event_ring(struct mhi_controller *mhi_cntrl, 
		enum mhi_pkt_type type = MHI_TRE_GET_EV_TYPE(local_rp);



		chan = MHI_TRE_GET_EV_CHID(local_rp);



		WARN_ON(chan >= mhi_cntrl->max_chan);



		/*

		 * Only process the event ring elements whose channel

		 * ID is within the maximum supported range.

		 */

		if (chan < mhi_cntrl->max_chan) {

			mhi_chan = &mhi_cntrl->mhi_chan[chan];



			if (likely(type == MHI_PKT_TYPE_TX_EVENT)) {
@@ -829,6 +846,7 @@ int mhi_process_data_event_ring(struct mhi_controller *mhi_cntrl, 
				parse_rsc_event(mhi_cntrl, local_rp, mhi_chan);

				event_quota--;

			}

		}



		mhi_recycle_ev_ring_element(mhi_cntrl, ev_ring);

		local_rp = ev_ring->rp;

CRA Git | Maintained and supported by SUSTech CRA and CCSE