Merge "msm: mhi_dev: Prevent invalid memory access during channel read"

drivers/platform/msm/mhi_dev/mhi.c

@@ -2942,6 +2942,14 @@ int mhi_dev_read_channel(struct mhi_req *mreq)
 	mutex_lock(&ch->ch_lock);
 
 	do {
+		if (ch->state == MHI_DEV_CH_STOPPED) {
+			mhi_log(MHI_MSG_VERBOSE,
+				"channel (%d) already stopped\n",
+				mreq->chan);
+			bytes_read = -1;
+			goto exit;
+		}
+
 		el = &ring->ring_cache[ring->rd_offset];
 		mhi_log(MHI_MSG_VERBOSE, "evtptr : 0x%llx\n",
 						el->tre.data_buf_ptr);
@@ -2963,13 +2971,6 @@ int mhi_dev_read_channel(struct mhi_req *mreq)
 				goto exit;
 			}
 
-			if (ch->state == MHI_DEV_CH_STOPPED) {
-				mhi_log(MHI_MSG_VERBOSE,
-					"channel (%d) already stopped\n",
-					mreq->chan);
-				bytes_read = -1;
-				goto exit;
-			}
 
 			ch->tre_loc = el->tre.data_buf_ptr;
 			ch->tre_size = el->tre.len;

drivers/platform/msm/mhi_dev/mhi_uci.c

@@ -923,8 +923,11 @@ static int open_client_mhi_channels(struct uci_client *uci_client)
 {
 	int rc = 0;
 
-	if (!mhi_uci_are_channels_connected(uci_client))
+	if (!mhi_uci_are_channels_connected(uci_client)) {
+		uci_log(UCI_DBG_ERROR, "%s:Channels are not connected\n",
+			__func__);
 		return -ENODEV;
+	}
 
 	uci_log(UCI_DBG_DBG,
 			"Starting channels %d %d.\n",
@@ -1248,6 +1251,12 @@ static int __mhi_uci_client_read(struct uci_client *uci_handle,
 	int ret_val = 0;
 
 	do {
+		if (!mhi_uci_are_channels_connected(uci_handle)) {
+			uci_log(UCI_DBG_ERROR,
+				"%s:Channels are not connected\n", __func__);
+			return -ENODEV;
+		}
+
 		if (!uci_handle->pkt_loc &&
 			!atomic_read(&uci_ctxt.mhi_disabled)) {
 			ret_val = uci_handle->read(uci_handle, bytes_avail);
@@ -1394,6 +1403,12 @@ static ssize_t mhi_uci_client_write(struct file *file,
 		return -EIO;
 	}
 
+	if (!mhi_uci_are_channels_connected(uci_handle)) {
+		uci_log(UCI_DBG_ERROR, "%s:Channels are not connected\n",
+			__func__);
+		return -ENODEV;
+	}
+
 	if (count > TRB_MAX_DATA_SIZE) {
 		uci_log(UCI_DBG_ERROR,
 			"Too big write size: %d, max supported size is %d\n",