releases/5.13.6/bus-mhi-core-validate-channel-id-when-processing-command-completions.patch - pub/scm/linux/kernel/git/stable/stable-queue - Git at Google

 From 546362a9ef2ef40b57c6605f14e88ced507f8dd0 Mon Sep 17 00:00:00 2001
 From: Bhaumik Bhatt <bbhatt@codeaurora.org>
 Date: Fri, 16 Jul 2021 13:21:05 +0530
 Subject: bus: mhi: core: Validate channel ID when processing command completions

 From: Bhaumik Bhatt <bbhatt@codeaurora.org>

 commit 546362a9ef2ef40b57c6605f14e88ced507f8dd0 upstream.

 MHI reads the channel ID from the event ring element sent by the
 device which can be any value between 0 and 255. In order to
 prevent any out of bound accesses, add a check against the maximum
 number of channels supported by the controller and those channels
 not configured yet so as to skip processing of that event ring
 element.

 Link: https://lore.kernel.org/r/1624558141-11045-1-git-send-email-bbhatt@codeaurora.org
 Fixes: 1d3173a3bae7 ("bus: mhi: core: Add support for processing events from client device")
 Cc: stable@vger.kernel.org #5.10
 Reviewed-by: Hemant Kumar <hemantk@codeaurora.org>
 Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
 Reviewed-by: Jeffrey Hugo <quic_jhugo@quicinc.com>
 Signed-off-by: Bhaumik Bhatt <bbhatt@codeaurora.org>
 Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
 Link: https://lore.kernel.org/r/20210716075106.49938-3-manivannan.sadhasivam@linaro.org
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 ---
  drivers/bus/mhi/core/main.c |   17 ++++++++++++-----
  1 file changed, 12 insertions(+), 5 deletions(-)

 --- a/drivers/bus/mhi/core/main.c
 +++ b/drivers/bus/mhi/core/main.c
 @@ -773,11 +773,18 @@ static void mhi_process_cmd_completion(s
  	cmd_pkt = mhi_to_virtual(mhi_ring, ptr);

  	chan = MHI_TRE_GET_CMD_CHID(cmd_pkt);
 -	mhi_chan = &mhi_cntrl->mhi_chan[chan];
 -	write_lock_bh(&mhi_chan->lock);
 -	mhi_chan->ccs = MHI_TRE_GET_EV_CODE(tre);
 -	complete(&mhi_chan->completion);
 -	write_unlock_bh(&mhi_chan->lock);
 +
 +	if (chan < mhi_cntrl->max_chan &&
 +	    mhi_cntrl->mhi_chan[chan].configured) {
 +		mhi_chan = &mhi_cntrl->mhi_chan[chan];
 +		write_lock_bh(&mhi_chan->lock);
 +		mhi_chan->ccs = MHI_TRE_GET_EV_CODE(tre);
 +		complete(&mhi_chan->completion);
 +		write_unlock_bh(&mhi_chan->lock);
 +	} else {
 +		dev_err(&mhi_cntrl->mhi_dev->dev,
 +			"Completion packet for invalid channel ID: %d\n", chan);
 +	}

  	mhi_del_ring_element(mhi_cntrl, mhi_ring);
  }
	From 546362a9ef2ef40b57c6605f14e88ced507f8dd0 Mon Sep 17 00:00:00 2001
	From: Bhaumik Bhatt <bbhatt@codeaurora.org>
	Date: Fri, 16 Jul 2021 13:21:05 +0530
	Subject: bus: mhi: core: Validate channel ID when processing command completions

	From: Bhaumik Bhatt <bbhatt@codeaurora.org>

	commit 546362a9ef2ef40b57c6605f14e88ced507f8dd0 upstream.

	MHI reads the channel ID from the event ring element sent by the
	device which can be any value between 0 and 255. In order to
	prevent any out of bound accesses, add a check against the maximum
	number of channels supported by the controller and those channels
	not configured yet so as to skip processing of that event ring
	element.

	Link: https://lore.kernel.org/r/1624558141-11045-1-git-send-email-bbhatt@codeaurora.org
	Fixes: 1d3173a3bae7 ("bus: mhi: core: Add support for processing events from client device")
	Cc: stable@vger.kernel.org #5.10
	Reviewed-by: Hemant Kumar <hemantk@codeaurora.org>
	Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
	Reviewed-by: Jeffrey Hugo <quic_jhugo@quicinc.com>
	Signed-off-by: Bhaumik Bhatt <bbhatt@codeaurora.org>
	Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
	Link: https://lore.kernel.org/r/20210716075106.49938-3-manivannan.sadhasivam@linaro.org
	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	---
	drivers/bus/mhi/core/main.c \| 17 ++++++++++++-----
	1 file changed, 12 insertions(+), 5 deletions(-)

	--- a/drivers/bus/mhi/core/main.c
	+++ b/drivers/bus/mhi/core/main.c
	@@ -773,11 +773,18 @@ static void mhi_process_cmd_completion(s
	cmd_pkt = mhi_to_virtual(mhi_ring, ptr);

	chan = MHI_TRE_GET_CMD_CHID(cmd_pkt);
	- mhi_chan = &mhi_cntrl->mhi_chan[chan];
	- write_lock_bh(&mhi_chan->lock);
	- mhi_chan->ccs = MHI_TRE_GET_EV_CODE(tre);
	- complete(&mhi_chan->completion);
	- write_unlock_bh(&mhi_chan->lock);
	+
	+ if (chan < mhi_cntrl->max_chan &&
	+ mhi_cntrl->mhi_chan[chan].configured) {
	+ mhi_chan = &mhi_cntrl->mhi_chan[chan];
	+ write_lock_bh(&mhi_chan->lock);
	+ mhi_chan->ccs = MHI_TRE_GET_EV_CODE(tre);
	+ complete(&mhi_chan->completion);
	+ write_unlock_bh(&mhi_chan->lock);
	+ } else {
	+ dev_err(&mhi_cntrl->mhi_dev->dev,
	+ "Completion packet for invalid channel ID: %d\n", chan);
	+ }

	mhi_del_ring_element(mhi_cntrl, mhi_ring);
	}