Patch "bus: mhi: host: Fix race between channel preparation and M0 event" has been added to the 6.1-stable tree

<gregkh@xxxxxxxxxxxxxxxxxxx> · Wed, 04 Jan 2023 15:47:56 +0100

This is a note to let you know that I've just added the patch titled

    bus: mhi: host: Fix race between channel preparation and M0 event

to the 6.1-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     bus-mhi-host-fix-race-between-channel-preparation-and-m0-event.patch
and it can be found in the queue-6.1 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.


>From 869a99907faea6d1835b0bd0d0422ae3519c6ea9 Mon Sep 17 00:00:00 2001
From: Qiang Yu <quic_qianyu@xxxxxxxxxxx>
Date: Sun, 16 Oct 2022 11:05:32 +0800
Subject: bus: mhi: host: Fix race between channel preparation and M0 event

From: Qiang Yu <quic_qianyu@xxxxxxxxxxx>

commit 869a99907faea6d1835b0bd0d0422ae3519c6ea9 upstream.

There is a race condition where mhi_prepare_channel() updates the
read and write pointers as the base address and in parallel, if
an M0 transition occurs, the tasklet goes ahead and rings
doorbells for all channels with a delta in TRE rings assuming
they are already enabled. This causes a null pointer access. Fix
it by adding a channel enabled check before ringing channel
doorbells.

Cc: stable@xxxxxxxxxxxxxxx # 5.19
Fixes: a6e2e3522f29 "bus: mhi: core: Add support for PM state transitions"
Signed-off-by: Qiang Yu <quic_qianyu@xxxxxxxxxxx>
Reviewed-by: Manivannan Sadhasivam <mani@xxxxxxxxxx>
Link: https://lore.kernel.org/r/1665889532-13634-1-git-send-email-quic_qianyu@xxxxxxxxxxx
[mani: CCed stable list]
Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@xxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
 drivers/bus/mhi/host/pm.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/bus/mhi/host/pm.c
+++ b/drivers/bus/mhi/host/pm.c
@@ -301,7 +301,8 @@ int mhi_pm_m0_transition(struct mhi_cont
 		read_lock_irq(&mhi_chan->lock);
 
 		/* Only ring DB if ring is not empty */
-		if (tre_ring->base && tre_ring->wp  != tre_ring->rp)
+		if (tre_ring->base && tre_ring->wp  != tre_ring->rp &&
+		    mhi_chan->ch_state == MHI_CH_STATE_ENABLED)
 			mhi_ring_chan_db(mhi_cntrl, mhi_chan);
 		read_unlock_irq(&mhi_chan->lock);
 	}


Patches currently in stable-queue which might be from quic_qianyu@xxxxxxxxxxx are

queue-6.1/bus-mhi-host-fix-race-between-channel-preparation-and-m0-event.patch






