bus: mhi: core: Add range check for channel id received in event ring

MHI data completion handler function reads channel id from event ring element. Value is under the control of MHI devices and can be any value between 0 and 255. In order to prevent out of bound access add a bound check against the max channel supported by controller and skip processing of that event ring element. Signed-off-by: Hemant Kumar <hemantk@codeaurora.org> Signed-off-by: Bhaumik Bhatt <bbhatt@codeaurora.org> Reviewed-by: Jeffrey Hugo <jhugo@codeaurora.org> Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org> Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org> Link: https://lore.kernel.org/r/20200521170249.21795-4-manivannan.sadhasivam@linaro.orgSigned-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

bus: mhi: core: Add range check for channel id received in event ring
MHI data completion handler function reads channel id from event ring element. Value is under the control of MHI devices and can be any value between 0 and 255. In order to prevent out of bound access add a bound check against the max channel supported by controller and skip processing of that event ring element. Signed-off-by: Hemant Kumar <hemantk@codeaurora.org> Signed-off-by: Bhaumik Bhatt <bbhatt@codeaurora.org> Reviewed-by: Jeffrey Hugo <jhugo@codeaurora.org> Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org> Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org> Link: https://lore.kernel.org/r/20200521170249.21795-4-manivannan.sadhasivam@linaro.orgSigned-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
02096068 · Hemant Kumar · Greg Kroah-Hartman · 44d4e063 · 02096068
Commit 02096068 authored May 21, 2020 by Hemant Kumar Committed by Greg Kroah-Hartman May 22, 2020
Hide whitespace changes
Inline Side-by-side

Showing with 29 additions and 11 deletions

drivers/bus/mhi/core/main.c drivers/bus/mhi/core/main.c +29 -11

No files found.
--- a/drivers/bus/mhi/core/main.c
+++ b/drivers/bus/mhi/core/main.c
@@ -775,9 +775,18 @@ int mhi_process_ctrl_ev_ring(struct mhi_controller *mhi_cntrl,
 		}
 		case MHI_PKT_TYPE_TX_EVENT:
 			chan = MHI_TRE_GET_EV_CHID(local_rp);
-			mhi_chan = &mhi_cntrl->mhi_chan[chan];
-			parse_xfer_event(mhi_cntrl, local_rp, mhi_chan);
-			event_quota--;
+
+			WARN_ON(chan >= mhi_cntrl->max_chan);
+
+			/*
+			 * Only process the event ring elements whose channel
+			 * ID is within the maximum supported range.
+			 */
+			if (chan < mhi_cntrl->max_chan) {
+				mhi_chan = &mhi_cntrl->mhi_chan[chan];
+				parse_xfer_event(mhi_cntrl, local_rp, mhi_chan);
+				event_quota--;
+			}
 			break;
 		default:
 			dev_err(dev, "Unhandled event type: %d\n", type);
@@ -820,14 +829,23 @@ int mhi_process_data_event_ring(struct mhi_controller *mhi_cntrl,
 		enum mhi_pkt_type type = MHI_TRE_GET_EV_TYPE(local_rp);

 		chan = MHI_TRE_GET_EV_CHID(local_rp);
-		mhi_chan = &mhi_cntrl->mhi_chan[chan];
-
-		if (likely(type == MHI_PKT_TYPE_TX_EVENT)) {
-			parse_xfer_event(mhi_cntrl, local_rp, mhi_chan);
-			event_quota--;
-		} else if (type == MHI_PKT_TYPE_RSC_TX_EVENT) {
-			parse_rsc_event(mhi_cntrl, local_rp, mhi_chan);
-			event_quota--;
+
+		WARN_ON(chan >= mhi_cntrl->max_chan);
+
+		/*
+		 * Only process the event ring elements whose channel
+		 * ID is within the maximum supported range.
+		 */
+		if (chan < mhi_cntrl->max_chan) {
+			mhi_chan = &mhi_cntrl->mhi_chan[chan];
+
+			if (likely(type == MHI_PKT_TYPE_TX_EVENT)) {
+				parse_xfer_event(mhi_cntrl, local_rp, mhi_chan);
+				event_quota--;
+			} else if (type == MHI_PKT_TYPE_RSC_TX_EVENT) {
+				parse_rsc_event(mhi_cntrl, local_rp, mhi_chan);
+				event_quota--;
+			}
 		}

 		mhi_recycle_ev_ring_element(mhi_cntrl, ev_ring);