The HCI DMA dequeue path (hci_dma_dequeue_xfer()) may be invoked for
multiple transfers that timeout around the same time. However, the
function is not serialized and can race with itself.
When a timeout occurs, hci_dma_dequeue_xfer() stops the ring, processes
incomplete transfers, and then restarts the ring. If another timeout
triggers a parallel call into the same function, the two instances may
interfere with each other - stopping or restarting the ring at unexpected
times.
Add a mutex so that hci_dma_dequeue_xfer() is serialized with respect to
itself.
Fixes: 9ad9a52cce282 ("i3c/master: introduce the mipi-i3c-hci driver")
Cc: stable@vger.kernel.org
Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Link: https://patch.msgid.link/20260306072451.11131-7-adrian.hunter@intel.com
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
return -ENOMEM;
spin_lock_init(&hci->lock);
+ mutex_init(&hci->control_mutex);
/*
* Multi-bus instances share the same MMIO address range, but not
unsigned int i;
bool did_unqueue = false;
+ guard(mutex)(&hci->control_mutex);
+
/* stop the ring */
rh_reg_write(RING_CONTROL, RING_CTRL_ABORT);
if (wait_for_completion_timeout(&rh->op_done, HZ) == 0) {
void *io_data;
const struct hci_cmd_ops *cmd;
spinlock_t lock;
+ struct mutex control_mutex;
atomic_t next_cmd_tid;
bool irq_inactive;
u32 caps;
projects / thirdparty / kernel / stable.git / commitdiff
