msm: mhi_dev: Fix invalid client access

Check if handle passed from clients is valid before dereference. Change-Id: I68a1a826f7b85a7e24f2cb75916c50e6788536e9 Signed-off-by: Siddartha Mohanadoss <smohanad@codeaurora.org>
5 years ago · 729858b485
parent 222949dc1d
commit 729858b485
2 changed files with 33 additions and 4 deletions
--- a/drivers/platform/msm/mhi_dev/mhi.c
+++ b/drivers/platform/msm/mhi_dev/mhi.c
@ -2282,6 +2282,7 @@ free_ereqs:
 	ch->ereqs = NULL;
 free_client:
 	kfree(*handle_client);
+	*handle_client = NULL;
 exit:
 	mutex_unlock(&ch->ch_lock);
 	return rc;
@ -2293,6 +2294,11 @@ int mhi_dev_channel_isempty(struct mhi_dev_client *handle)
 	struct mhi_dev_channel *ch;
 	int rc;

+	if (!handle) {
+		mhi_log(MHI_MSG_ERROR, "Invalid channel access\n");
+		return -EINVAL;
+	}
+
 	ch = handle->channel;
 	if (!ch)
 		return -EINVAL;
@ -2308,6 +2314,11 @@ int mhi_dev_close_channel(struct mhi_dev_client *handle)
 	struct mhi_dev_channel *ch;
 	int rc = 0;

+	if (!handle) {
+		mhi_log(MHI_MSG_ERROR, "Invalid channel access\n");
+		return -EINVAL;
+	}
+
 	ch = handle->channel;

 	mutex_lock(&ch->ch_lock);
--- a/drivers/platform/msm/mhi_dev/mhi_uci.c
+++ b/drivers/platform/msm/mhi_dev/mhi_uci.c
@ -914,9 +914,14 @@ static int mhi_uci_client_open(struct inode *mhi_inode,
 				"Opening channels client %d\n",
 				iminor(mhi_inode));
 			rc = open_client_mhi_channels(uci_handle);
-			if (rc) {
+			if (rc < 0) {
 				uci_log(UCI_DBG_INFO,
 					"Failed to open channels ret %d\n", rc);
+				if (atomic_sub_return(1, &uci_handle->ref_count)
+									== 0) {
+					uci_log(UCI_DBG_INFO,
+						"Closing failed channel\n");
+				}
 				return rc;
 			}
 		}
@ -1148,7 +1153,16 @@ static ssize_t mhi_uci_client_read(struct file *file, char __user *ubuf,
 	ssize_t bytes_copied = 0;
 	u32 addr_offset = 0;

+	if (!file || !ubuf || !file->private_data) {
+		uci_log(UCI_DBG_DBG, "Invalid access to read\n");
+		return -EINVAL;
+	}
+
 	uci_handle = file->private_data;
+	if (!uci_handle->read || !uci_handle->in_handle) {
+		uci_log(UCI_DBG_DBG, "Invalid inhandle or read\n");
+		return -EINVAL;
+	}
 	mutex = &uci_handle->in_chan_lock;
 	mutex_lock(mutex);

@ -1216,12 +1230,16 @@ static ssize_t mhi_uci_client_write(struct file *file,
 	unsigned long memcpy_result;
 	int rc;

-	if (file == NULL || buf == NULL ||
-		!count || file->private_data == NULL)
+	if (!file || !buf || !count || !file->private_data) {
+		uci_log(UCI_DBG_DBG, "Invalid access to write\n");
 		return -EINVAL;
+	}

 	uci_handle = file->private_data;
-
+	if (!uci_handle->send || !uci_handle->out_handle) {
+		uci_log(UCI_DBG_DBG, "Invalid handle or send\n");
+		return -EINVAL;
+	}
 	if (atomic_read(&uci_ctxt.mhi_disabled)) {
 		uci_log(UCI_DBG_ERROR,
 			"Client %d attempted to write while MHI is disabled\n",