[PATCH 04/12] i3c: mipi-i3c-hci: Fix race in DMA ring dequeue

[Adrian Hunter]

The HCI DMA dequeue path (hci_dma_dequeue_xfer()) may be invoked for
multiple transfers that timeout around the same time.  However, the
function is not serialized and can race with itself.

When a timeout occurs, hci_dma_dequeue_xfer() stops the ring, processes
incomplete transfers, and then restarts the ring.  If another timeout
triggers a parallel call into the same function, the two instances may
interfere with each other - stopping or restarting the ring at unexpected
times.

Add a mutex so that hci_dma_dequeue_xfer() is serialized with respect to
itself.

Fixes: 9ad9a52cce282 ("i3c/master: introduce the mipi-i3c-hci driver")
Cc: stable at vger.kernel.org
Signed-off-by: Adrian Hunter <adrian.hunter at intel.com>
---
 drivers/i3c/master/mipi-i3c-hci/dma.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/drivers/i3c/master/mipi-i3c-hci/dma.c b/drivers/i3c/master/mipi-i3c-hci/dma.c
index f60654fbe58e..5a9af561e4cb 100644
--- a/drivers/i3c/master/mipi-i3c-hci/dma.c
+++ b/drivers/i3c/master/mipi-i3c-hci/dma.c
@@ -133,6 +133,7 @@ struct hci_rh_data {
 	struct hci_xfer **src_xfers;
 	spinlock_t lock;
 	struct completion op_done;
+	struct mutex control_mutex;
 };
 
 struct hci_rings_data {
@@ -347,6 +348,7 @@ static int hci_dma_init(struct i3c_hci *hci)
 		rh->regs = hci->base_regs + offset;
 		spin_lock_init(&rh->lock);
 		init_completion(&rh->op_done);
+		mutex_init(&rh->control_mutex);
 
 		rh->xfer_entries = XFER_RING_ENTRIES;
 
@@ -549,6 +551,8 @@ static bool hci_dma_dequeue_xfer(struct i3c_hci *hci,
 	unsigned int i;
 	bool did_unqueue = false;
 
+	guard(mutex)(&rh->control_mutex);
+
 	/* stop the ring */
 	rh_reg_write(RING_CONTROL, RING_CTRL_ABORT);
 	if (wait_for_completion_timeout(&rh->op_done, HZ) == 0) {
-- 
2.51.0