evie/android_kernel_oneplus_msm8998
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

mhi: uci: Fix race conditon in mhi_poll_inbound

Browse source 
A race condition exists in MHI_UCI whereby a client could receive
a buffer, inconsistent with the return code from MHI.

Change-Id: I4a932ea608ce967c1588f092c60d03747bad2064
Signed-off-by: Andrei Danaila <adanaila@codeaurora.org>
This commit is contained in:
Andrei Danaila 2014-12-03 10:27:26 -08:00 committed by David Keitel
parent fd631cba6d
commit b4fae77237
1 changed files with 12 additions and 10 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

22
drivers/platform/msm/mhi/mhi_main.c
View file

@ -1302,20 +1302,22 @@ int mhi_poll_inbound(struct mhi_client_handle *client_handle,
(union mhi_xfer_pkt *)pending_trb);
result->flags = pending_trb->info;
result->transaction_status = MHI_STATUS_SUCCESS;
ret_val = delete_element(local_chan_ctxt,
&local_chan_ctxt->ack_rp,
&local_chan_ctxt->rp, NULL);
if (ret_val != MHI_STATUS_SUCCESS) {
mhi_log(MHI_MSG_ERROR,
"Internal Failure, inconsistent ring state, ret %d chan %d\n",
ret_val, chan);
result->payload_buf = 0;
result->bytes_xferd = 0;
result->transaction_status = MHI_STATUS_ERROR;
}
} else {
result->payload_buf = 0;
result->bytes_xferd = 0;
result->transaction_status = MHI_STATUS_SUCCESS;
}
ret_val = delete_element(local_chan_ctxt, &local_chan_ctxt->ack_rp,
&local_chan_ctxt->rp, NULL);
if (ret_val != MHI_STATUS_SUCCESS) {
mhi_log(MHI_MSG_ERROR,
"Failed to remove from inbound ring ret %d chan %d\n",
ret_val, chan);
result->payload_buf = 0;
result->bytes_xferd = 0;
result->transaction_status = MHI_STATUS_SUCCESS;
ret_val = MHI_STATUS_RING_EMPTY;
}
mutex_unlock(chan_mutex);
return ret_val;