tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

i3c: mipi-i3c-hci: Fix race in DMA ring enqueue for parallel xfers

The I3C subsystem allows multiple transfers to be queued concurrently.
However, the MIPI I3C HCI driver's DMA enqueue path, hci_dma_queue_xfer(),
lacks sufficient serialization.

In particular, the allocation of the enqueue_ptr and its subsequent update
in the RING_OPERATION1 register, must be done atomically. Otherwise, for
example, it would be possible for 2 transfers to be allocated the same
enqueue_ptr.

Extend the use of the existing spinlock for that purpose. Keep a count of
the number of xfers enqueued so that it is easy to determine if the ring
has enough space.

Fixes: 9ad9a52cce282 ("i3c/master: introduce the mipi-i3c-hci driver")
Cc: stable@vger.kernel.org
Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Link: https://patch.msgid.link/20260306072451.11131-6-adrian.hunter@intel.com
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>

authored by

Adrian Hunter and committed by
Alexandre Belloni 4decbbc8 fa12bb90

+16 -16
+16 -16
drivers/i3c/master/mipi-i3c-hci/dma.c
··· 129 129 dma_addr_t xfer_dma, resp_dma, ibi_status_dma, ibi_data_dma; 130 130 unsigned int xfer_entries, ibi_status_entries, ibi_chunks_total; 131 131 unsigned int xfer_struct_sz, resp_struct_sz, ibi_status_sz, ibi_chunk_sz; 132 - unsigned int done_ptr, ibi_chunk_ptr; 132 + unsigned int done_ptr, ibi_chunk_ptr, xfer_space; 133 133 struct hci_xfer **src_xfers; 134 134 struct completion op_done; 135 135 }; ··· 260 260 261 261 rh->done_ptr = 0; 262 262 rh->ibi_chunk_ptr = 0; 263 + rh->xfer_space = rh->xfer_entries; 263 264 } 264 265 265 266 static void hci_dma_init_rings(struct i3c_hci *hci) ··· 471 470 struct hci_rings_data *rings = hci->io_data; 472 471 struct hci_rh_data *rh; 473 472 unsigned int i, ring, enqueue_ptr; 474 - u32 op1_val, op2_val; 473 + u32 op1_val; 475 474 int ret; 476 475 477 476 ret = hci_dma_map_xfer_list(hci, rings->sysdev, xfer_list, n); ··· 481 480 /* For now we only use ring 0 */ 482 481 ring = 0; 483 482 rh = &rings->headers[ring]; 483 + 484 + spin_lock_irq(&hci->lock); 485 + 486 + if (n > rh->xfer_space) { 487 + spin_unlock_irq(&hci->lock); 488 + hci_dma_unmap_xfer(hci, xfer_list, n); 489 + return -EBUSY; 490 + } 484 491 485 492 op1_val = rh_reg_read(RING_OPERATION1); 486 493 enqueue_ptr = FIELD_GET(RING_OP1_CR_ENQ_PTR, op1_val); ··· 527 518 xfer->ring_entry = enqueue_ptr; 528 519 529 520 enqueue_ptr = (enqueue_ptr + 1) % rh->xfer_entries; 530 - 531 - /* 532 - * We may update the hardware view of the enqueue pointer 533 - * only if we didn't reach its dequeue pointer. 534 - */ 535 - op2_val = rh_reg_read(RING_OPERATION2); 536 - if (enqueue_ptr == FIELD_GET(RING_OP2_CR_DEQ_PTR, op2_val)) { 537 - /* the ring is full */ 538 - hci_dma_unmap_xfer(hci, xfer_list, n); 539 - return -EBUSY; 540 - } 541 521 } 542 522 543 - /* take care to update the hardware enqueue pointer atomically */ 544 - spin_lock_irq(&hci->lock); 545 - op1_val = rh_reg_read(RING_OPERATION1); 523 + rh->xfer_space -= n; 524 + 546 525 op1_val &= ~RING_OP1_CR_ENQ_PTR; 547 526 op1_val |= FIELD_PREP(RING_OP1_CR_ENQ_PTR, enqueue_ptr); 548 527 rh_reg_write(RING_OPERATION1, op1_val); ··· 598 601 { 599 602 u32 op1_val, op2_val, resp, *ring_resp; 600 603 unsigned int tid, done_ptr = rh->done_ptr; 604 + unsigned int done_cnt = 0; 601 605 struct hci_xfer *xfer; 602 606 603 607 for (;;) { ··· 630 632 631 633 done_ptr = (done_ptr + 1) % rh->xfer_entries; 632 634 rh->done_ptr = done_ptr; 635 + done_cnt += 1; 633 636 } 634 637 635 638 /* take care to update the software dequeue pointer atomically */ 636 639 spin_lock(&hci->lock); 640 + rh->xfer_space += done_cnt; 637 641 op1_val = rh_reg_read(RING_OPERATION1); 638 642 op1_val &= ~RING_OP1_CR_SW_DEQ_PTR; 639 643 op1_val |= FIELD_PREP(RING_OP1_CR_SW_DEQ_PTR, done_ptr);