regmap: Fix race condition in hwspinlock irqsave routine

[ Upstream commit 4b58aac989c1e3fafb1c68a733811859df388250 ]

Previously, the address of the shared member '&map->spinlock_flags' was
passed directly to 'hwspin_lock_timeout_irqsave'. This creates a race
condition where multiple contexts contending for the lock could overwrite
the shared flags variable, potentially corrupting the state for the
current lock owner.

Fix this by using a local stack variable 'flags' to store the IRQ state
temporarily.

Fixes: 8698b9364710 ("regmap: Add hardware spinlock support")
Signed-off-by: Cheng-Yu Lee <cylee12@realtek.com>
Co-developed-by: Yu-Chun Lin <eleanor.lin@realtek.com>
Signed-off-by: Yu-Chun Lin <eleanor.lin@realtek.com>
Link: https://patch.msgid.link/20260109032633.8732-1-eleanor.lin@realtek.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/drivers/base/regmap/regmap.c b/drivers/base/regmap/regmap.c
index 9603c28a3ed823060be5a1dcd3b8259c8889d4ef..48860beff95c9fbffca2140138dcb37910c97eb6 100644 (file)
--- a/drivers/base/regmap/regmap.c
+++ b/drivers/base/regmap/regmap.c
@@ -408,9 +408,11 @@ static void regmap_lock_hwlock_irq(void *__map)
 static void regmap_lock_hwlock_irqsave(void *__map)
 {
        struct regmap *map = __map;
+       unsigned long flags = 0;
 
        hwspin_lock_timeout_irqsave(map->hwlock, UINT_MAX,
-                                   &map->spinlock_flags);
+                                   &flags);
+       map->spinlock_flags = flags;
 }
 
 static void regmap_unlock_hwlock(void *__map)