Merge "mhi: core: Add checks for bhi and bhie offsets"

commit: a8653d51b263f7824466170c7ee9ac02f3a9f941 [log] [tgz]
author: qctecmdr <qctecmdr@localhost> Fri May 22 15:47:52 2020 -0700
committer: Gerrit - the friendly Code Review server <code-review@localhost> Fri May 22 15:47:52 2020 -0700
tree: af655abe83c13ad763efc9e20da463885bd0cc56
parent: c2c6dc74e7ad6f3314a2ad2cd3bfd207e4eb28f3 [diff]
parent: 7105034e8375bb0ca879e09492dcbfd0a71b9227 [diff]
diff --git a/drivers/bus/mhi/controllers/mhi_qcom.c b/drivers/bus/mhi/controllers/mhi_qcom.c
index 61de2b1..715fa86 100644
--- a/drivers/bus/mhi/controllers/mhi_qcom.c
+++ b/drivers/bus/mhi/controllers/mhi_qcom.c

@@ -124,6 +124,7 @@
 		MHI_CNTRL_ERR("Error ioremap region\n");
 		goto error_ioremap;
 	}
+	mhi_cntrl->len = len;
 
 	ret = pci_alloc_irq_vectors(pci_dev, mhi_cntrl->msi_required,
 				    mhi_cntrl->msi_required, PCI_IRQ_MSI);

diff --git a/drivers/bus/mhi/core/mhi_pm.c b/drivers/bus/mhi/core/mhi_pm.c
index a4e63bc..d86107b 100644
--- a/drivers/bus/mhi/core/mhi_pm.c
+++ b/drivers/bus/mhi/core/mhi_pm.c

@@ -947,6 +947,12 @@
 		goto error_bhi_offset;
 	}
 
+	if (val >= mhi_cntrl->len) {
+		write_unlock_irq(&mhi_cntrl->pm_lock);
+		MHI_ERR("Invalid bhi offset:%x\n", val);
+		goto error_bhi_offset;
+	}
+
 	mhi_cntrl->bhi = mhi_cntrl->regs + val;
 
 	/* setup bhie offset if not set */
@@ -958,6 +964,12 @@
 			goto error_bhi_offset;
 		}
 
+		if (val >= mhi_cntrl->len) {
+			write_unlock_irq(&mhi_cntrl->pm_lock);
+			MHI_ERR("Invalid bhie offset:%x\n", val);
+			goto error_bhi_offset;
+		}
+
 		mhi_cntrl->bhie = mhi_cntrl->regs + val;
 	}
 

diff --git a/drivers/net/wireless/cnss2/pci.c b/drivers/net/wireless/cnss2/pci.c
index cc94890..6a91e49 100644
--- a/drivers/net/wireless/cnss2/pci.c
+++ b/drivers/net/wireless/cnss2/pci.c

@@ -4288,8 +4288,10 @@
 	mhi_ctrl->fw_image_fallback = plat_priv->fw_fallback_name;
 
 	mhi_ctrl->regs = pci_priv->bar;
-	cnss_pr_dbg("BAR starts at %pa\n",
-		    &pci_resource_start(pci_priv->pci_dev, PCI_BAR_NUM));
+	mhi_ctrl->len = pci_resource_len(pci_priv->pci_dev, PCI_BAR_NUM);
+	cnss_pr_dbg("BAR starts at %pa, len-%x\n",
+		    &pci_resource_start(pci_priv->pci_dev, PCI_BAR_NUM),
+		    mhi_ctrl->len);
 
 	ret = cnss_pci_get_mhi_msi(pci_priv);
 	if (ret) {

diff --git a/include/linux/mhi.h b/include/linux/mhi.h
index 547beaf..51a5ec4 100644
--- a/include/linux/mhi.h
+++ b/include/linux/mhi.h

@@ -260,6 +260,7 @@
 
 	/* mmio base */
 	phys_addr_t base_addr;
+	unsigned int len;
 	void __iomem *regs;
 	void __iomem *bhi;
 	void __iomem *bhie;
commit	a8653d51b263f7824466170c7ee9ac02f3a9f941	[log] [tgz]
author	qctecmdr <qctecmdr@localhost>	Fri May 22 15:47:52 2020 -0700
committer	Gerrit - the friendly Code Review server <code-review@localhost>	Fri May 22 15:47:52 2020 -0700
tree	af655abe83c13ad763efc9e20da463885bd0cc56
parent	c2c6dc74e7ad6f3314a2ad2cd3bfd207e4eb28f3 [diff]
parent	7105034e8375bb0ca879e09492dcbfd0a71b9227 [diff]