This is a note to let you know that I've just added the patch titled bus: mhi: host: Fix race between channel preparation and M0 event to the 6.0-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: bus-mhi-host-fix-race-between-channel-preparation-and-m0-event.patch and it can be found in the queue-6.0 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. >From 869a99907faea6d1835b0bd0d0422ae3519c6ea9 Mon Sep 17 00:00:00 2001 From: Qiang Yu <quic_qianyu@xxxxxxxxxxx> Date: Sun, 16 Oct 2022 11:05:32 +0800 Subject: bus: mhi: host: Fix race between channel preparation and M0 event From: Qiang Yu <quic_qianyu@xxxxxxxxxxx> commit 869a99907faea6d1835b0bd0d0422ae3519c6ea9 upstream. There is a race condition where mhi_prepare_channel() updates the read and write pointers as the base address and in parallel, if an M0 transition occurs, the tasklet goes ahead and rings doorbells for all channels with a delta in TRE rings assuming they are already enabled. This causes a null pointer access. Fix it by adding a channel enabled check before ringing channel doorbells. Cc: stable@xxxxxxxxxxxxxxx # 5.19 Fixes: a6e2e3522f29 "bus: mhi: core: Add support for PM state transitions" Signed-off-by: Qiang Yu <quic_qianyu@xxxxxxxxxxx> Reviewed-by: Manivannan Sadhasivam <mani@xxxxxxxxxx> Link: https://lore.kernel.org/r/1665889532-13634-1-git-send-email-quic_qianyu@xxxxxxxxxxx [mani: CCed stable list] Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@xxxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- drivers/bus/mhi/host/pm.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/bus/mhi/host/pm.c b/drivers/bus/mhi/host/pm.c index 4a42186ff111..083459028a4b 100644 --- a/drivers/bus/mhi/host/pm.c +++ b/drivers/bus/mhi/host/pm.c @@ -301,7 +301,8 @@ int mhi_pm_m0_transition(struct mhi_controller *mhi_cntrl) read_lock_irq(&mhi_chan->lock); /* Only ring DB if ring is not empty */ - if (tre_ring->base && tre_ring->wp != tre_ring->rp) + if (tre_ring->base && tre_ring->wp != tre_ring->rp && + mhi_chan->ch_state == MHI_CH_STATE_ENABLED) mhi_ring_chan_db(mhi_cntrl, mhi_chan); read_unlock_irq(&mhi_chan->lock); } -- 2.39.0 Patches currently in stable-queue which might be from quic_qianyu@xxxxxxxxxxx are queue-6.0/bus-mhi-host-fix-race-between-channel-preparation-and-m0-event.patch