tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

i3c: mipi-i3c-hci: Fix race in DMA ring dequeue

The HCI DMA dequeue path (hci_dma_dequeue_xfer()) may be invoked for
multiple transfers that timeout around the same time. However, the
function is not serialized and can race with itself.

When a timeout occurs, hci_dma_dequeue_xfer() stops the ring, processes
incomplete transfers, and then restarts the ring. If another timeout
triggers a parallel call into the same function, the two instances may
interfere with each other - stopping or restarting the ring at unexpected
times.

Add a mutex so that hci_dma_dequeue_xfer() is serialized with respect to
itself.

Fixes: 9ad9a52cce282 ("i3c/master: introduce the mipi-i3c-hci driver")
Cc: stable@vger.kernel.org
Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Link: https://patch.msgid.link/20260306072451.11131-7-adrian.hunter@intel.com
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>

authored by

Adrian Hunter and committed by
Alexandre Belloni 1dca8aee 4decbbc8

+4
+1
drivers/i3c/master/mipi-i3c-hci/core.c
··· 927 927 return -ENOMEM; 928 928 929 929 spin_lock_init(&hci->lock); 930 + mutex_init(&hci->control_mutex); 930 931 931 932 /* 932 933 * Multi-bus instances share the same MMIO address range, but not
+2
drivers/i3c/master/mipi-i3c-hci/dma.c
··· 547 547 unsigned int i; 548 548 bool did_unqueue = false; 549 549 550 + guard(mutex)(&hci->control_mutex); 551 + 550 552 /* stop the ring */ 551 553 rh_reg_write(RING_CONTROL, RING_CTRL_ABORT); 552 554 if (wait_for_completion_timeout(&rh->op_done, HZ) == 0) {
+1
drivers/i3c/master/mipi-i3c-hci/hci.h
··· 51 51 void *io_data; 52 52 const struct hci_cmd_ops *cmd; 53 53 spinlock_t lock; 54 + struct mutex control_mutex; 54 55 atomic_t next_cmd_tid; 55 56 bool irq_inactive; 56 57 u32 caps;