Patch "bus: mhi: host: Range check CHDBOFF and ERDBOFF" has been added to the 5.10-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Thu, 11 May 2023 11:52:34 -0400

This is a note to let you know that I've just added the patch titled

    bus: mhi: host: Range check CHDBOFF and ERDBOFF

to the 5.10-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     bus-mhi-host-range-check-chdboff-and-erdboff.patch
and it can be found in the queue-5.10 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit ffecd7beda1bb049865050fd0b57b0861def8409
Author: Jeffrey Hugo <quic_jhugo@xxxxxxxxxxx>
Date:   Fri Mar 24 10:13:04 2023 -0600

    bus: mhi: host: Range check CHDBOFF and ERDBOFF
    
    [ Upstream commit 6a0c637bfee69a74c104468544d9f2a6579626d0 ]
    
    If the value read from the CHDBOFF and ERDBOFF registers is outside the
    range of the MHI register space then an invalid address might be computed
    which later causes a kernel panic.  Range check the read value to prevent
    a crash due to bad data from the device.
    
    Fixes: 6cd330ae76ff ("bus: mhi: core: Add support for ringing channel/event ring doorbells")
    Cc: stable@xxxxxxxxxxxxxxx
    Signed-off-by: Jeffrey Hugo <quic_jhugo@xxxxxxxxxxx>
    Reviewed-by: Pranjal Ramajor Asha Kanojiya <quic_pkanojiy@xxxxxxxxxxx>
    Reviewed-by: Manivannan Sadhasivam <mani@xxxxxxxxxx>
    Link: https://lore.kernel.org/r/1679674384-27209-1-git-send-email-quic_jhugo@xxxxxxxxxxx
    Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@xxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/bus/mhi/host/init.c b/drivers/bus/mhi/host/init.c
index 0d0386f67ffe2..2cc48f96afdbc 100644
--- a/drivers/bus/mhi/host/init.c
+++ b/drivers/bus/mhi/host/init.c
@@ -498,6 +498,12 @@ int mhi_init_mmio(struct mhi_controller *mhi_cntrl)
 		return -EIO;
 	}
 
+	if (val >= mhi_cntrl->reg_len - (8 * MHI_DEV_WAKE_DB)) {
+		dev_err(dev, "CHDB offset: 0x%x is out of range: 0x%zx\n",
+			val, mhi_cntrl->reg_len - (8 * MHI_DEV_WAKE_DB));
+		return -ERANGE;
+	}
+
 	/* Setup wake db */
 	mhi_cntrl->wake_db = base + val + (8 * MHI_DEV_WAKE_DB);
 	mhi_write_reg(mhi_cntrl, mhi_cntrl->wake_db, 4, 0);
@@ -517,6 +523,12 @@ int mhi_init_mmio(struct mhi_controller *mhi_cntrl)
 		return -EIO;
 	}
 
+	if (val >= mhi_cntrl->reg_len - (8 * mhi_cntrl->total_ev_rings)) {
+		dev_err(dev, "ERDB offset: 0x%x is out of range: 0x%zx\n",
+			val, mhi_cntrl->reg_len - (8 * mhi_cntrl->total_ev_rings));
+		return -ERANGE;
+	}
+
 	/* Setup event db address for each ev_ring */
 	mhi_event = mhi_cntrl->mhi_event;
 	for (i = 0; i < mhi_cntrl->total_ev_rings; i++, val += 8, mhi_event++) {






