From bad018aefc79de4fed3365f4727275f675308863 Mon Sep 17 00:00:00 2001
From: Mehul Raninga <quic_mraninga@quicinc.com>
Date: Mon, 1 Jul 2024 15:50:18 +0530
Subject: [PATCH] Slimbus: slim-msm-ngd: Avoid accessing deallocated stack

The functions ngd_xfer_msg declare a local completion
variable called done. However, this variable is accessed
beyond the scope of these functions.

To address this issue:
1. Instead of keeping done as a local variable,
move it to msm_slim_ctrl.
2. Initialize done during the probe phase.
3. Use this variable for handling transfer and
synchronization messages.

Change-Id: If97b71e2db730ab21bfd07479d2737b0546e1f8e
Signed-off-by: Mehul Raninga <quic_mraninga@quicinc.com>
Signed-off-by: Chintan Kothari <quic_ckothari@quicinc.com>
---
 drivers/slimbus/slim-msm-ngd.c | 9 +++++++--
 drivers/slimbus/slim-msm.h     | 2 ++
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/drivers/slimbus/slim-msm-ngd.c b/drivers/slimbus/slim-msm-ngd.c
index db36dd9e2a71..d6bafe6ff44e 100644
--- a/drivers/slimbus/slim-msm-ngd.c
+++ b/drivers/slimbus/slim-msm-ngd.c
@@ -1,6 +1,7 @@
 // SPDX-License-Identifier: GPL-2.0-only
 /*
  * Copyright (c) 2016-2020, The Linux Foundation. All rights reserved.
+ * Copyright (c) 2024, Qualcomm Innovation Center, Inc. All rights reserved.
  */
 
 #include <asm/dma-iommu.h>
@@ -477,7 +478,6 @@ static int ngd_check_hw_status(struct msm_slim_ctrl *dev)
 
 static int ngd_xfer_msg(struct slim_controller *ctrl, struct slim_msg_txn *txn)
 {
-	DECLARE_COMPLETION_ONSTACK(done);
 	DECLARE_COMPLETION_ONSTACK(tx_sent);
 
 	struct msm_slim_ctrl *dev = slim_get_ctrldata(ctrl);
@@ -491,6 +491,8 @@ static int ngd_xfer_msg(struct slim_controller *ctrl, struct slim_msg_txn *txn)
 	bool report_sat = false;
 	bool sync_wr = true;
 
+	reinit_completion(&dev->xfer_done);
+
 	if (txn->mc & SLIM_MSG_CLK_PAUSE_SEQ_FLG)
 		return -EPROTONOSUPPORT;
 
@@ -649,7 +651,9 @@ static int ngd_xfer_msg(struct slim_controller *ctrl, struct slim_msg_txn *txn)
 		wbuf[i++] = txn->wbuf[0];
 		if (txn->mc != SLIM_USR_MC_DISCONNECT_PORT)
 			wbuf[i++] = txn->wbuf[1];
-		ret = ngd_get_tid(ctrl, txn, &wbuf[i++], &done);
+
+		txn->comp = &dev->xfer_done;
+		ret = ngd_get_tid(ctrl, txn, &wbuf[i++], &dev->xfer_done);
 		if (ret) {
 			SLIM_ERR(dev, "TID for connect/disconnect fail:%d\n",
 					ret);
@@ -2015,6 +2019,7 @@ static int ngd_slim_probe(struct platform_device *pdev)
 	init_completion(&dev->reconf);
 	init_completion(&dev->ctrl_up);
 	init_completion(&dev->qmi_up);
+	init_completion(&dev->xfer_done);
 	mutex_init(&dev->tx_lock);
 	mutex_init(&dev->ssr_lock);
 	spin_lock_init(&dev->tx_buf_lock);
diff --git a/drivers/slimbus/slim-msm.h b/drivers/slimbus/slim-msm.h
index eabcecfef110..93a85ec2d68c 100644
--- a/drivers/slimbus/slim-msm.h
+++ b/drivers/slimbus/slim-msm.h
@@ -308,6 +308,8 @@ struct msm_slim_ctrl {
 	bool			chan_active;
 	enum msm_ctrl_state	state;
 	struct completion	ctrl_up;
+	struct completion	xfer_done;
+	struct completion	sync_done;
 	int			nsats;
 	u32			ver;
 	struct msm_slim_qmi	qmi;