Re: [PATCH v6 3/8] bus: mhi: core: Add range check for channel id received in event ring

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Hemant Kumar <hemantk@codeaurora.org>
To: Manivannan Sadhasivam <mani@kernel.org>,
	Bhaumik Bhatt <bbhatt@codeaurora.org>
Cc: linux-arm-msm@vger.kernel.org, linux-kernel@vger.kernel.org,
	jhugo@codeaurora.org
Subject: Re: [PATCH v6 3/8] bus: mhi: core: Add range check for channel id received in event ring
Date: Fri, 8 May 2020 10:34:13 -0700	[thread overview]
Message-ID: <82e131f8-8c67-23c3-3ac2-a05eb04d50ba@codeaurora.org> (raw)
In-Reply-To: <20200508054518.GA2696@Mani-XPS-13-9360>

Hi Mani,

On 5/7/20 10:45 PM, Manivannan Sadhasivam wrote:
> On Tue, May 05, 2020 at 03:47:07PM -0700, Bhaumik Bhatt wrote:
>> From: Hemant Kumar <hemantk@codeaurora.org>
>>
>> MHI data completion handler function reads channel id from event
>> ring element. Value is under the control of MHI devices and can be
>> any value between 0 and 255. In order to prevent out of bound access
>> add a bound check against the max channel supported by controller
>> and skip processing of that event ring element.
>>
>> Signed-off-by: Hemant Kumar <hemantk@codeaurora.org>
>> Signed-off-by: Bhaumik Bhatt <bbhatt@codeaurora.org>
>> Reviewed-by: Jeffrey Hugo <jhugo@codeaurora.org>
>> ---
>>   drivers/bus/mhi/core/main.c | 8 ++++++++
>>   1 file changed, 8 insertions(+)
>>
>> diff --git a/drivers/bus/mhi/core/main.c b/drivers/bus/mhi/core/main.c
>> index 605640c..e60ab21 100644
>> --- a/drivers/bus/mhi/core/main.c
>> +++ b/drivers/bus/mhi/core/main.c
>> @@ -776,6 +776,9 @@ int mhi_process_ctrl_ev_ring(struct mhi_controller *mhi_cntrl,
>>   		case MHI_PKT_TYPE_TX_EVENT:
>>   			chan = MHI_TRE_GET_EV_CHID(local_rp);
>>   			mhi_chan = &mhi_cntrl->mhi_chan[chan];
> 
> Check should be done before this statement, isn't it?
my bad. thanks for pointing that out.
> 
>> +			if (WARN_ON(chan >= mhi_cntrl->max_chan))
>> +				goto next_event;
>> +
> 
> I don't prefer using gotos for non exit paths but I don't have a better solution
> here. But you can try to wrap 'WARN_ON' inside the 'MHI_TRE_GET_EV_CHID'
> definition and the just use:
Instead of moving WARN_ON to macro as it requires mhi_cntrl->max_chan to 
compare, how about just adding WARN_ON statement above if condition like 
this

		WARN_ON(chan >= mhi_cntrl->max_chan);
		/*
  		 * Only process the event ring elements whose channel
		 * ID is within the maximum supported range.
		 */
  		if (chan < mhi_cntrl->max_chan) {
                       	mhi_chan = &mhi_cntrl->mhi_chan[chan];
                        	parse_xfer_event(mhi_cntrl, local_rp, mhi_chan);
                           	event_quota--;
  		}
  		break;
> 
> 			/*
> 			 * Only process the event ring elements whose channel
> 			 * ID is within the maximum supported range.
> 			 */
> 			if (chan < mhi_cntrl->max_chan) {
>                          	mhi_chan = &mhi_cntrl->mhi_chan[chan];
>                          	parse_xfer_event(mhi_cntrl, local_rp, mhi_chan);
>                          	event_quota--;
> 			}
> 			break;
> 
> This looks more clean.

> 
>>   			parse_xfer_event(mhi_cntrl, local_rp, mhi_chan);
>>   			event_quota--;
>>   			break;
>> @@ -784,6 +787,7 @@ int mhi_process_ctrl_ev_ring(struct mhi_controller *mhi_cntrl,
>>   			break;
>>   		}
>>   
>> +next_event:
>>   		mhi_recycle_ev_ring_element(mhi_cntrl, ev_ring);
>>   		local_rp = ev_ring->rp;
>>   		dev_rp = mhi_to_virtual(ev_ring, er_ctxt->rp);
> 
> So you want the count to get increased for skipped element also?
yeah idea is to have total count of events processed even if channel id 
is not correct for that event. This fix is a security fix considering 
that the MHI device is considered as non-secured and MHI host is trying
to continue function normally and just reporting it as warning.

> 
> Thanks,
> Mani
> 
>> @@ -820,6 +824,9 @@ int mhi_process_data_event_ring(struct mhi_controller *mhi_cntrl,
>>   		enum mhi_pkt_type type = MHI_TRE_GET_EV_TYPE(local_rp);
>>   
>>   		chan = MHI_TRE_GET_EV_CHID(local_rp);
>> +		if (WARN_ON(chan >= mhi_cntrl->max_chan))
>> +			goto next_event;
>> +
>>   		mhi_chan = &mhi_cntrl->mhi_chan[chan];
>>   
>>   		if (likely(type == MHI_PKT_TYPE_TX_EVENT)) {
>> @@ -830,6 +837,7 @@ int mhi_process_data_event_ring(struct mhi_controller *mhi_cntrl,
>>   			event_quota--;
>>   		}
>>   
>> +next_event:
>>   		mhi_recycle_ev_ring_element(mhi_cntrl, ev_ring);
>>   		local_rp = ev_ring->rp;
>>   		dev_rp = mhi_to_virtual(ev_ring, er_ctxt->rp);
Even this function has the same goto statement. For consistency i would 
do same thing here as well. Let me know what do you think about above 
suggestion for both functions.
>> -- 
>> The Qualcomm Innovation Center, Inc. is a member of the Code Aurora Forum,
>> a Linux Foundation Collaborative Project
>>

-- 
The Qualcomm Innovation Center, Inc. is a member of the Code Aurora Forum,
a Linux Foundation Collaborative Project

next prev parent reply	other threads:[~2020-05-08 17:34 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-05-05 22:47 [PATCH v6 0/8] Bug fixes and improved logging in MHI Bhaumik Bhatt
2020-05-05 22:47 ` [PATCH v6 1/8] bus: mhi: core: Refactor mhi queue APIs Bhaumik Bhatt
2020-05-05 22:47 ` [PATCH v6 2/8] bus: mhi: core: Cache intmod from mhi event to mhi channel Bhaumik Bhatt
2020-05-05 22:47 ` [PATCH v6 3/8] bus: mhi: core: Add range check for channel id received in event ring Bhaumik Bhatt
2020-05-08  5:45   ` Manivannan Sadhasivam
2020-05-08 17:34     ` Hemant Kumar [this message]
2020-05-08 18:06       ` Manivannan Sadhasivam
2020-05-05 22:47 ` [PATCH v6 4/8] bus: mhi: core: Read transfer length from an event properly Bhaumik Bhatt
2020-05-05 22:47 ` [PATCH v6 5/8] bus: mhi: core: Handle firmware load using state worker Bhaumik Bhatt
2020-05-05 22:47 ` [PATCH v6 6/8] bus: mhi: core: Return appropriate error codes for AMSS load failure Bhaumik Bhatt
2020-05-08  6:13   ` Manivannan Sadhasivam
2020-05-05 22:47 ` [PATCH v6 7/8] bus: mhi: core: Improve debug logs for loading firmware Bhaumik Bhatt
2020-05-05 22:47 ` [PATCH v6 8/8] bus: mhi: core: Ensure non-zero session or sequence ID values are used Bhaumik Bhatt
2020-05-06  0:33   ` Jeffrey Hugo
2020-05-08  6:22   ` Manivannan Sadhasivam
2020-05-08  6:24 ` [PATCH v6 0/8] Bug fixes and improved logging in MHI Manivannan Sadhasivam

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=82e131f8-8c67-23c3-3ac2-a05eb04d50ba@codeaurora.org \
    --to=hemantk@codeaurora.org \
    --cc=bbhatt@codeaurora.org \
    --cc=jhugo@codeaurora.org \
    --cc=linux-arm-msm@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mani@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox