Merge "bus: mhi: misc: Add check for dev_rp if it is iommu range or not"
diff --git a/drivers/bus/mhi/core/mhi_internal.h b/drivers/bus/mhi/core/mhi_internal.h
index f078adc..001a944 100644
--- a/drivers/bus/mhi/core/mhi_internal.h
+++ b/drivers/bus/mhi/core/mhi_internal.h
@@ -808,6 +808,12 @@
pm_wakeup_hard_event(&mhi_cntrl->mhi_dev->dev);
}
+static inline bool is_valid_ring_ptr(struct mhi_ring *ring, dma_addr_t addr)
+{
+ return ((addr >= ring->iommu_base &&
+ addr < ring->iommu_base + ring->len) && (addr % 16 == 0));
+}
+
/* queue transfer buffer */
int mhi_gen_tre(struct mhi_controller *mhi_cntrl, struct mhi_chan *mhi_chan,
void *buf, void *cb, size_t buf_len, enum MHI_FLAGS flags);
diff --git a/drivers/bus/mhi/core/mhi_main.c b/drivers/bus/mhi/core/mhi_main.c
index 3098f38..e4d8943 100644
--- a/drivers/bus/mhi/core/mhi_main.c
+++ b/drivers/bus/mhi/core/mhi_main.c
@@ -1385,6 +1385,13 @@
int ret = 0;
spin_lock_bh(&mhi_event->lock);
+ if (!is_valid_ring_ptr(ev_ring, er_ctxt->rp)) {
+ MHI_ERR(
+ "Event ring rp points outside of the event ring or unalign rp %llx\n",
+ er_ctxt->rp);
+ spin_unlock_bh(&mhi_event->lock);
+ return 0;
+ }
dev_rp = mhi_to_virtual(ev_ring, er_ctxt->rp);
if (ev_ring->rp == dev_rp) {
spin_unlock_bh(&mhi_event->lock);
@@ -1477,8 +1484,15 @@
int result, ret = 0;
spin_lock_bh(&mhi_event->lock);
- dev_rp = mhi_to_virtual(ev_ring, er_ctxt->rp);
+ if (!is_valid_ring_ptr(ev_ring, er_ctxt->rp)) {
+ MHI_ERR(
+ "Event ring rp points outside of the event ring or unalign rp %llx\n",
+ er_ctxt->rp);
+ spin_unlock_bh(&mhi_event->lock);
+ return 0;
+ }
+ dev_rp = mhi_to_virtual(ev_ring, er_ctxt->rp);
if (ev_ring->rp == dev_rp) {
spin_unlock_bh(&mhi_event->lock);
goto exit_bw_scale_process;