diff options
-rw-r--r-- | drivers/bus/mhi/core/mhi_internal.h | 6 | ||||
-rw-r--r-- | drivers/bus/mhi/core/mhi_main.c | 16 |
2 files changed, 21 insertions, 1 deletions
diff --git a/drivers/bus/mhi/core/mhi_internal.h b/drivers/bus/mhi/core/mhi_internal.h index f078adc92207..001a944d7f6c 100644 --- a/drivers/bus/mhi/core/mhi_internal.h +++ b/drivers/bus/mhi/core/mhi_internal.h @@ -808,6 +808,12 @@ static inline void mhi_trigger_resume(struct mhi_controller *mhi_cntrl) pm_wakeup_hard_event(&mhi_cntrl->mhi_dev->dev); } +static inline bool is_valid_ring_ptr(struct mhi_ring *ring, dma_addr_t addr) +{ + return ((addr >= ring->iommu_base && + addr < ring->iommu_base + ring->len) && (addr % 16 == 0)); +} + /* queue transfer buffer */ int mhi_gen_tre(struct mhi_controller *mhi_cntrl, struct mhi_chan *mhi_chan, void *buf, void *cb, size_t buf_len, enum MHI_FLAGS flags); diff --git a/drivers/bus/mhi/core/mhi_main.c b/drivers/bus/mhi/core/mhi_main.c index de4cfdb8823f..946b24e2e1df 100644 --- a/drivers/bus/mhi/core/mhi_main.c +++ b/drivers/bus/mhi/core/mhi_main.c @@ -1385,6 +1385,13 @@ int mhi_process_tsync_ev_ring(struct mhi_controller *mhi_cntrl, int ret = 0; spin_lock_bh(&mhi_event->lock); + if (!is_valid_ring_ptr(ev_ring, er_ctxt->rp)) { + MHI_ERR( + "Event ring rp points outside of the event ring or unalign rp %llx\n", + er_ctxt->rp); + spin_unlock_bh(&mhi_event->lock); + return 0; + } dev_rp = mhi_to_virtual(ev_ring, er_ctxt->rp); if (ev_ring->rp == dev_rp) { spin_unlock_bh(&mhi_event->lock); @@ -1477,8 +1484,15 @@ int mhi_process_bw_scale_ev_ring(struct mhi_controller *mhi_cntrl, int result, ret = 0; spin_lock_bh(&mhi_event->lock); - dev_rp = mhi_to_virtual(ev_ring, er_ctxt->rp); + if (!is_valid_ring_ptr(ev_ring, er_ctxt->rp)) { + MHI_ERR( + "Event ring rp points outside of the event ring or unalign rp %llx\n", + er_ctxt->rp); + spin_unlock_bh(&mhi_event->lock); + return 0; + } + dev_rp = mhi_to_virtual(ev_ring, er_ctxt->rp); if (ev_ring->rp == dev_rp) { spin_unlock_bh(&mhi_event->lock); goto exit_bw_scale_process; |