git.ipfire.org Git - thirdparty/kernel/linux.git/commit

i3c: mipi-i3c-hci: Fix race between DMA ring dequeue and interrupt handler

The DMA ring bookkeeping in the MIPI I3C HCI driver is updated from two
contexts: the DMA ring dequeue path (hci_dma_dequeue_xfer()) and the
interrupt handler (hci_dma_xfer_done()). Both modify the ring's
in-flight transfer state - specifically rh->src_xfers[] and
xfer->ring_entry - but without any serialization. This allows the two
paths to race, potentially leading to inconsistent ring state.

Serialize access to the shared ring state by extending the existing
spinlock to cover the DMA dequeue path and the entire interrupt handler.
Since the core IRQ handler now holds this lock, remove the per-function
locking from the PIO and DMA sub-handlers.

Additionally, clear the completed entry in rh->src_xfers[] in
hci_dma_xfer_done() so it cannot be matched or completed again.

Finally, place the ring restart sequence under the same lock in
hci_dma_dequeue_xfer() to avoid concurrent enqueue or completion
operations while the ring state is being modified.

Fixes: 9ad9a52cce282 ("i3c/master: introduce the mipi-i3c-hci driver")
Cc: stable@vger.kernel.org
Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Link: https://patch.msgid.link/20260306072451.11131-8-adrian.hunter@intel.com
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>

author	Adrian Hunter <adrian.hunter@intel.com>
	Fri, 6 Mar 2026 07:24:44 +0000 (09:24 +0200)
committer	Alexandre Belloni <alexandre.belloni@bootlin.com>
	Wed, 11 Mar 2026 21:10:01 +0000 (22:10 +0100)
commit	f0b5159637ca0b8feaaa95de0f5ea38f1ba26729
tree	62e5ae3d91f4fea39c45511c2a99a63f4a68e320	tree \| snapshot
parent	1dca8aee80eea76d2aae21265de5dd64f6ba0f09	commit \| diff

drivers/i3c/master/mipi-i3c-hci/core.c		diff \| blob \| blame \| history
drivers/i3c/master/mipi-i3c-hci/dma.c		diff \| blob \| blame \| history
drivers/i3c/master/mipi-i3c-hci/pio.c		diff \| blob \| blame \| history