Commit 1dca8aee authored by Adrian Hunter's avatar Adrian Hunter Committed by Alexandre Belloni
Browse files

i3c: mipi-i3c-hci: Fix race in DMA ring dequeue 



The HCI DMA dequeue path (hci_dma_dequeue_xfer()) may be invoked for
multiple transfers that timeout around the same time.  However, the
function is not serialized and can race with itself.

When a timeout occurs, hci_dma_dequeue_xfer() stops the ring, processes
incomplete transfers, and then restarts the ring.  If another timeout
triggers a parallel call into the same function, the two instances may
interfere with each other - stopping or restarting the ring at unexpected
times.

Add a mutex so that hci_dma_dequeue_xfer() is serialized with respect to
itself.

Fixes: 9ad9a52c ("i3c/master: introduce the mipi-i3c-hci driver")
Cc: stable@vger.kernel.org
Signed-off-by: default avatarAdrian Hunter <adrian.hunter@intel.com>
Reviewed-by: default avatarFrank Li <Frank.Li@nxp.com>
Link: https://patch.msgid.link/20260306072451.11131-7-adrian.hunter@intel.com


Signed-off-by: default avatarAlexandre Belloni <alexandre.belloni@bootlin.com>
parent 4decbbc8

drivers/i3c/master/mipi-i3c-hci/core.c

+1 −0
Original line number Diff line number Diff line
@@ -927,6 +927,7 @@ static int i3c_hci_probe(struct platform_device *pdev) 
		return -ENOMEM;



	spin_lock_init(&hci->lock);

	mutex_init(&hci->control_mutex);



	/*

	 * Multi-bus instances share the same MMIO address range, but not

drivers/i3c/master/mipi-i3c-hci/dma.c

+2 −0
Original line number Diff line number Diff line
@@ -547,6 +547,8 @@ static bool hci_dma_dequeue_xfer(struct i3c_hci *hci, 
	unsigned int i;

	bool did_unqueue = false;



	guard(mutex)(&hci->control_mutex);



	/* stop the ring */

	rh_reg_write(RING_CONTROL, RING_CTRL_ABORT);

	if (wait_for_completion_timeout(&rh->op_done, HZ) == 0) {

drivers/i3c/master/mipi-i3c-hci/hci.h

+1 −0
Original line number Diff line number Diff line
@@ -51,6 +51,7 @@ struct i3c_hci { 
	void *io_data;

	const struct hci_cmd_ops *cmd;

	spinlock_t lock;

	struct mutex control_mutex;

	atomic_t next_cmd_tid;

	bool irq_inactive;

	u32 caps;