Received: by 2002:a25:1985:0:0:0:0:0 with SMTP id 127csp3206643ybz; Mon, 27 Apr 2020 11:52:43 -0700 (PDT) X-Google-Smtp-Source: APiQypJXDWVOWfVcIWtJmz0kzM6AG3u/v58i34B1wJcptXmUUZNYJdmRY4mvKYduXmBrzW7iX4vB X-Received: by 2002:a17:906:cd0d:: with SMTP id oz13mr21125470ejb.82.1588013563309; Mon, 27 Apr 2020 11:52:43 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1588013563; cv=none; d=google.com; s=arc-20160816; b=s65lWhkNRtk2odM5hKl0vSdh2dR9YSCqzvDG02Hqr+rmzji253Bgi9GFzOx39vRl+9 Nux5nkadKmdyU+1WWYEnjoomG+QV9yk3KfAMP2zmoE5VprDO46ZTLyQTld+pSX2zuiYT wqAgJ7hOyy1qj5IaUWC5R0QmFCwHuivHwXe6ujp4RPVm7ICIGBuKnEkYLRHU1vnxlVL8 xSxF+d8N+652Eqq1T5O8uXnY+p5zv4d2r7lr+GGlSYuL69xgwC3BqrnTQwKldrIMAlnB KjbesJ4IOUdDLTeVABocSJdzVaP3rz6O38L+vMgd4VbtH8lSuQY2Pa7VnnMEjYayrvTB ermw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:dmarc-filter :dkim-signature; bh=7yOIc6cBQUmjb2EJJfMTPa2gtx2SJO7TFkVSbmtblNE=; b=kV/XRkVkQe8nEA3T+kFHYBk8eh2pIOTofGB6/C1Ovm4X+NWnCcMrTg/ZOWe9xag8aY JO/PYnotrRqNqTu2rh0R/DrDJGAPOkk3pVwzffoojnbfH+Yz6KVpEexOTWfXTSLyGpFV Xz4wLWRp4Wy9PfefUx5xZpK5kTy/Xi6JuiJg3hC69uFEWM3PR12D/903q7tfwArDKOMz WCHyo7rhTofSEyPVJQM8M08GpTj/JbIHJlcYIGSwz+M+IaCLEG4hXxEMKzm2rA3My82/ DXM/ThBpuFs3VilSZd8ubp35r9AabAveGWnumTM0a1EXuzceKHgWXmbEPSJ2wegdrrN6 VGvw== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@mg.codeaurora.org header.s=smtp header.b=kw0g7Xn3; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id oy6si263002ejb.383.2020.04.27.11.52.19; Mon, 27 Apr 2020 11:52:43 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=fail header.i=@mg.codeaurora.org header.s=smtp header.b=kw0g7Xn3; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726613AbgD0Sun (ORCPT + 99 others); Mon, 27 Apr 2020 14:50:43 -0400 Received: from mail26.static.mailgun.info ([104.130.122.26]:33733 "EHLO mail26.static.mailgun.info" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726226AbgD0Sun (ORCPT ); Mon, 27 Apr 2020 14:50:43 -0400 DKIM-Signature: a=rsa-sha256; v=1; c=relaxed/relaxed; d=mg.codeaurora.org; q=dns/txt; s=smtp; t=1588013443; h=Content-Transfer-Encoding: Content-Type: In-Reply-To: MIME-Version: Date: Message-ID: From: References: Cc: To: Subject: Sender; bh=7yOIc6cBQUmjb2EJJfMTPa2gtx2SJO7TFkVSbmtblNE=; b=kw0g7Xn3bTh+BwGOLSjcPLzYPU2N7HnqVTaeOkzbmBNpYrFdKKBd4pt/KZVLvCy2GGq/dxdM K5JusFF/TKrszBWaSnlEi3G0qXRaSD7jCPY4Gdw1ZBSyrUuLwfzg/FdTDR//d985Iw2D70yc 1AqTEi2+wL0v0nZGj9PWUugTNpc= X-Mailgun-Sending-Ip: 104.130.122.26 X-Mailgun-Sid: WyI0MWYwYSIsICJsaW51eC1rZXJuZWxAdmdlci5rZXJuZWwub3JnIiwgImJlOWU0YSJd Received: from smtp.codeaurora.org (ec2-35-166-182-171.us-west-2.compute.amazonaws.com [35.166.182.171]) by mxa.mailgun.org with ESMTP id 5ea72979.7f27702b2500-smtp-out-n04; Mon, 27 Apr 2020 18:50:33 -0000 (UTC) Received: by smtp.codeaurora.org (Postfix, from userid 1001) id 21503C44788; Mon, 27 Apr 2020 18:50:32 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-caf-mail-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-1.0 required=2.0 tests=ALL_TRUSTED,SPF_NONE autolearn=unavailable autolearn_force=no version=3.4.0 Received: from [10.226.58.28] (i-global254.qualcomm.com [199.106.103.254]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: jhugo) by smtp.codeaurora.org (Postfix) with ESMTPSA id 204B6C433BA; Mon, 27 Apr 2020 18:50:31 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 smtp.codeaurora.org 204B6C433BA Authentication-Results: aws-us-west-2-caf-mail-1.web.codeaurora.org; dmarc=none (p=none dis=none) header.from=codeaurora.org Authentication-Results: aws-us-west-2-caf-mail-1.web.codeaurora.org; spf=none smtp.mailfrom=jhugo@codeaurora.org Subject: Re: [PATCH v1 2/8] bus: mhi: core: Add range check for channel id received in event ring To: Bhaumik Bhatt , mani@kernel.org Cc: linux-arm-msm@vger.kernel.org, linux-kernel@vger.kernel.org, hemantk@codeaurora.org References: <1588012342-4995-1-git-send-email-bbhatt@codeaurora.org> <1588012342-4995-3-git-send-email-bbhatt@codeaurora.org> From: Jeffrey Hugo Message-ID: <0dc0310f-3fbd-088c-75cd-291e7c76e83b@codeaurora.org> Date: Mon, 27 Apr 2020 12:50:30 -0600 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.5.0 MIME-Version: 1.0 In-Reply-To: <1588012342-4995-3-git-send-email-bbhatt@codeaurora.org> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 4/27/2020 12:32 PM, Bhaumik Bhatt wrote: > From: Hemant Kumar > > MHI data completion handler function reads channel id from event > ring element. Value is under the control of MHI devices and can be > any value between 0 and 255. In order to prevent out of bound access > add a bound check against the max channel supported by controller > and skip processing of that event ring element. > > Signed-off-by: Hemant Kumar I believe your SOB is needed here after Hemant's per section 11 of Documentation/process/submitting-patches.rst > --- > drivers/bus/mhi/core/main.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/drivers/bus/mhi/core/main.c b/drivers/bus/mhi/core/main.c > index 23154f1..ba8afa7 100644 > --- a/drivers/bus/mhi/core/main.c > +++ b/drivers/bus/mhi/core/main.c > @@ -827,6 +827,9 @@ int mhi_process_data_event_ring(struct mhi_controller *mhi_cntrl, > enum mhi_pkt_type type = MHI_TRE_GET_EV_TYPE(local_rp); > > chan = MHI_TRE_GET_EV_CHID(local_rp); > + if (WARN_ON(chan >= mhi_cntrl->max_chan)) > + continue; > + > mhi_chan = &mhi_cntrl->mhi_chan[chan]; > > if (likely(type == MHI_PKT_TYPE_TX_EVENT)) { > How does this work? I understand the need for the range check, however I looks like this change doesn't do proper handling. Since all you do is "continue", we'll remain stuck in the while loop this exists in, continuously "processing" the same event, failing the same check, and spamming the kernel log with the WARN_ON output until the end of time. What am I missing? What is the behavior you want? Do you want to just drop/ignore the invalid event, or issue a reset of the device because it is clearly misbehaving? -- Jeffrey Hugo Qualcomm Technologies, Inc. is a member of the Code Aurora Forum, a Linux Foundation Collaborative Project.