diff options
| author | PixelBot AutoMerger <android-nexus-securitybot@system.gserviceaccount.com> | 2023-12-03 18:30:27 -0800 |
|---|---|---|
| committer | SecurityBot <android-nexus-securitybot@system.gserviceaccount.com> | 2023-12-03 18:30:27 -0800 |
| commit | 6553c05256aa5226c14007fbd3172c1b08502715 (patch) | |
| tree | f98fa4efa858a83d72a603d67650c8fed9c1560f | |
| parent | 4c677e2cf5845ebc06300981a74bc130ee89e2be (diff) | |
| parent | 6283e60455dd7382e9151cf772aaa79d3ebcc6a4 (diff) | |
| download | msm-6553c05256aa5226c14007fbd3172c1b08502715.tar.gz | |
Merge android-msm-pixel-4.19-udc-qpr1 into android-msm-pixel-4.19-24Q1
SBMerger: 571992243
Change-Id: I55783355a10d5ed6463af2c83f38dcb747de631f
Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>
| -rw-r--r-- | drivers/bus/mhi/core/mhi_internal.h | 6 | ||||
| -rw-r--r-- | drivers/bus/mhi/core/mhi_main.c | 16 |
2 files changed, 21 insertions, 1 deletions
diff --git a/drivers/bus/mhi/core/mhi_internal.h b/drivers/bus/mhi/core/mhi_internal.h index f078adc92207..001a944d7f6c 100644 --- a/drivers/bus/mhi/core/mhi_internal.h +++ b/drivers/bus/mhi/core/mhi_internal.h @@ -808,6 +808,12 @@ static inline void mhi_trigger_resume(struct mhi_controller *mhi_cntrl) pm_wakeup_hard_event(&mhi_cntrl->mhi_dev->dev); } +static inline bool is_valid_ring_ptr(struct mhi_ring *ring, dma_addr_t addr) +{ + return ((addr >= ring->iommu_base && + addr < ring->iommu_base + ring->len) && (addr % 16 == 0)); +} + /* queue transfer buffer */ int mhi_gen_tre(struct mhi_controller *mhi_cntrl, struct mhi_chan *mhi_chan, void *buf, void *cb, size_t buf_len, enum MHI_FLAGS flags); diff --git a/drivers/bus/mhi/core/mhi_main.c b/drivers/bus/mhi/core/mhi_main.c index de4cfdb8823f..946b24e2e1df 100644 --- a/drivers/bus/mhi/core/mhi_main.c +++ b/drivers/bus/mhi/core/mhi_main.c @@ -1385,6 +1385,13 @@ int mhi_process_tsync_ev_ring(struct mhi_controller *mhi_cntrl, int ret = 0; spin_lock_bh(&mhi_event->lock); + if (!is_valid_ring_ptr(ev_ring, er_ctxt->rp)) { + MHI_ERR( + "Event ring rp points outside of the event ring or unalign rp %llx\n", + er_ctxt->rp); + spin_unlock_bh(&mhi_event->lock); + return 0; + } dev_rp = mhi_to_virtual(ev_ring, er_ctxt->rp); if (ev_ring->rp == dev_rp) { spin_unlock_bh(&mhi_event->lock); @@ -1477,8 +1484,15 @@ int mhi_process_bw_scale_ev_ring(struct mhi_controller *mhi_cntrl, int result, ret = 0; spin_lock_bh(&mhi_event->lock); - dev_rp = mhi_to_virtual(ev_ring, er_ctxt->rp); + if (!is_valid_ring_ptr(ev_ring, er_ctxt->rp)) { + MHI_ERR( + "Event ring rp points outside of the event ring or unalign rp %llx\n", + er_ctxt->rp); + spin_unlock_bh(&mhi_event->lock); + return 0; + } + dev_rp = mhi_to_virtual(ev_ring, er_ctxt->rp); if (ev_ring->rp == dev_rp) { spin_unlock_bh(&mhi_event->lock); goto exit_bw_scale_process; |