android/android_kernel_asus_sm8350
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

mhi: core: Avoid race condition mhi channel prepare and M0 event

Browse Source 
There is one race condition where mhi_prepare_channel is called
in which read pointer and write pointer is set to base address
and in parallel there could be an MHI M0 transaction which
checks any pending event rings on all channels (tre_ring)
with RP != WP and rings channel DB which causes Null pointer
access. Check for MHI channel is enabled before ringing channel
doorbell. Reset mhi channel chan_ctxt, tre_ring and buf_ring
wp and rp to NULL in mhi_deinit_chan_ctxt.

Change-Id: If30908fc7fcc26f6987bd0da886bb75468a29b9e
Signed-off-by: Vivek Pernamitta <vpernami@codeaurora.org>
This commit is contained in:
Vivek Pernamitta 2021-08-19 12:50:16 +05:30 committed by Gerrit - the friendly Code Review server
parent 528dad421a
commit afdefc05f7
2 changed files with 11 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
drivers/bus/mhi/core/mhi_init.c
View File

@ -1063,7 +1063,16 @@ void mhi_deinit_chan_ctxt(struct mhi_controller *mhi_cntrl,
vfree(buf_ring->base);
buf_ring->base = tre_ring->base = NULL;
tre_ring->ctxt_wp = NULL;
chan_ctxt->rbase = 0;
chan_ctxt->rlen = 0;
chan_ctxt->rp = chan_ctxt->wp = chan_ctxt->rbase;
tre_ring->rp = tre_ring->wp = tre_ring->base;
buf_ring->rp = buf_ring->wp = buf_ring->base;
/* Update to all cores */
smp_wmb();
}
int mhi_init_chan_ctxt(struct mhi_controller *mhi_cntrl,

3
drivers/bus/mhi/core/mhi_pm.c
View File

@ -394,7 +394,8 @@ int mhi_pm_m0_transition(struct mhi_controller *mhi_cntrl)
read_lock_irq(&mhi_chan->lock);
/* only ring DB if ring is not empty */
if (tre_ring->base && tre_ring->wp != tre_ring->rp)
if (tre_ring->base && tre_ring->wp != tre_ring->rp &&
mhi_chan->ch_state == MHI_CH_STATE_ENABLED)
mhi_ring_chan_db(mhi_cntrl, mhi_chan);
read_unlock_irq(&mhi_chan->lock);
}