From nobody Tue Feb 10 09:57:43 2026 Received: from mail-oi1-f171.google.com (mail-oi1-f171.google.com [209.85.167.171]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5268F361DA6 for ; Fri, 16 Jan 2026 10:42:05 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.167.171 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768560130; cv=none; b=BhU/oCwsG2JNNLT0v6skgIKDgWJMQ3V5l576/uZ3YxQFDJNSa9qBWMc1GLKprLGNgUXqwHGkF+LtQESp/OltvEY6nhf7XGWuGUfThLZXZ1l+JFK/G/gwTt46kzgvDsDT5V0ccfRghIvZnivu/04DY3RM34BUrYfZSjo7OCFPffY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768560130; c=relaxed/simple; bh=+gM/8rmoVUIhEKxbIe7M9zBfgjnLSTWPpirV2zKTD7w=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=bH30L0sJtqeaIj+PFOdsJtFG9FvxKpvU5NbRK9kTBrvmZy/KXoW+VJ+MtdEVu3MatGE6tW+otAv0++6GjQuk9XUht/6EDniHCaqvHGQHXKmb0yVnLmS8dUAAr0wvo4tt1CUqjFwEraKo/lKbPfl49+2IH9chqm+G+s6oZTiAV7M= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=debian.org; spf=pass smtp.mailfrom=gmail.com; arc=none smtp.client-ip=209.85.167.171 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=debian.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Received: by mail-oi1-f171.google.com with SMTP id 5614622812f47-45c7a71ba20so514963b6e.2 for ; Fri, 16 Jan 2026 02:42:05 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1768560122; x=1769164922; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=9/Q48q0IeRuhiLU39AjZe41jfSGMPYWViJGlNFlddxU=; b=NVl2LGMdBU6LudK6xbG/pzQUAQParTNPJlLxhrjFmSjV3HcfOKGfp2tH/gya/skwwE GUytNt7b+uDKwIvLtHT9WtglNyu0gNHQQfBaA6wt4d7yN39NvjZBZpQg9fspwgv5Jbf5 QUiiYg72RdwoxZO2P1/c3EaFxtXZPvftdqfM8xEBxQyjXq3Ppx5fzUvXCZsBE3r1ih9K 5tZJs2c5lXxAqv08xpYv96SrmBreBLI7SjP0dT7vLlYI1wmKRcd1orkksJjq/BJF8Io4 2ZbSKAt8TQoj2dk5c4CFogp2yLdnVCW6NBFY+1vyrQ1OLdqzZWsvuEqfuXbVe8OAHySh ihyg== X-Forwarded-Encrypted: i=1; AJvYcCXnqEE+/WC4aMqEJ5bYbWIp4WU9mCSKNIZcBd1U0hzn48q+hpgcektgV3kqA9PaL9eiPOkgwNYnyBbmHMg=@vger.kernel.org X-Gm-Message-State: AOJu0YwAluRbdduH1pO9px0coZabTMJfl4u0bNi+LGiZmwEFFn+D6SUo b53kTsb85utWdaYLJ045/ef6/whUbOA1DQUcs/ziaRr+oP+FtL7kyLEq X-Gm-Gg: AY/fxX5oAxg2WUxI8OSrNijhMQJtIrF3A2oz9CYZaO4w9h2uPBwpLav8h9g/Jd9ryVk HQtUptWBeh8BrIjxBRwddpgIS7DxlrRLrdNMTPvHY0GnM897jC5lU7S1Gi7xfIYyFkQ51GuxaXz ivG5llIjCeAWaYuj994+3TKMvbHGrcvKnpSKdQaArOIQbqaIPLhe5aWU5YXdF2+SlyhGwNEKMOH uTEiXe9rBlsgglWHjEZ1yi+XwbuEqdx+w9H/SsMN/FILbagpJvPdkbVycJ+2hQ9ddvbZqAJQjQ4 rUctZYaadl4JPP80gJbIdydce9LMHiH3GLefAxBxk++l+vl2dQnHWV+ROqwVT6DePTQ3EMFKvaY 6S5TifycD0+anDX5lPk/ge8I/b51YLHjnFTFjTAsnJtUzv/fPHeNpSr4UBW4YdXRnenb9NHYX/m 9UlQ== X-Received: by 2002:a05:6808:1987:b0:450:c58d:8c3a with SMTP id 5614622812f47-45c9c197324mr1174687b6e.46.1768560122245; Fri, 16 Jan 2026 02:42:02 -0800 (PST) Received: from localhost ([2a03:2880:10ff:48::]) by smtp.gmail.com with ESMTPSA id 5614622812f47-45c9e0086a4sm1159605b6e.12.2026.01.16.02.42.01 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 16 Jan 2026 02:42:01 -0800 (PST) From: Breno Leitao Date: Fri, 16 Jan 2026 02:41:44 -0800 Subject: [PATCH 4/6] spi: tegra210-quad: Protect curr_xfer in tegra_qspi_combined_seq_xfer Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260116-tegra_xfer-v1-4-02d96c790619@debian.org> References: <20260116-tegra_xfer-v1-0-02d96c790619@debian.org> In-Reply-To: <20260116-tegra_xfer-v1-0-02d96c790619@debian.org> To: Thierry Reding , Jonathan Hunter , Sowjanya Komatineni , Laxman Dewangan , Mark Brown , Vishwaroop A Cc: Thierry Reding , linux-tegra@vger.kernel.org, linux-spi@vger.kernel.org, linux-kernel@vger.kernel.org, Breno Leitao , kernel-team@meta.com, puranjay@kernel.org, usamaarif642@gmail.com X-Mailer: b4 0.15-dev-47773 X-Developer-Signature: v=1; a=openpgp-sha256; l=1795; i=leitao@debian.org; h=from:subject:message-id; bh=+gM/8rmoVUIhEKxbIe7M9zBfgjnLSTWPpirV2zKTD7w=; b=owEBbQKS/ZANAwAIATWjk5/8eHdtAcsmYgBpahXyLNJ7iq84eB82zOL5JoFiQtdRTUjOjHDHy fVQ9LMo6UGJAjMEAAEIAB0WIQSshTmm6PRnAspKQ5s1o5Of/Hh3bQUCaWoV8gAKCRA1o5Of/Hh3 bQ9jEACbt6+1pTgBmYLHPVxF3SfGaQoSj+VK3AqdIwMH57jLykLhqPWDjGyEiEBOoFaDuidkye6 CZvQ8mI5XH93opWhN294Ctp+Men+sJ1Y5GlVL6/20WnfB6MDLkZO0SoUxTkY6Ty0t82DHmHdWrg 0XdNzMDRpRt/dmfO3wvDBd7CXDNG/Mt1sno40TXqlRNOfDNc8pLTrtP2qOTPZEyN+CnHF0hxJwB MCmBdJN5pP4w1hdAVBDPEopagzKA1NtwVhkSMpIrxDyL+P0q89rnWzRDivcrn3c4jGVpJF34rGm WwJEEnLyYh4e/RJf7mM+pGxTFEHhl94Bnd9lfhViR4eNdmi51EEiaiOPd7sTtkonFk27sA3GJzO 6QBuF4tc0a6QIKfFAXXR9u5GajuQVKeOdq5aa7yU9mDIZEoUUV2oOGVQWc9ovJtLeiVS1lb+uD2 nX1Ypfgezo8cdZtcLNT4NOG4LprtTkipiX1kDDOcOq7r+DH0KFxb2XzKhBbObCZOVCK3q5dXOmT RdolAzs3DXVDFt/qQIjIXOi+DeKwQ/eWeIiXRc2M00P/TpzVEldcETbI64ZrHy1UcFYQ59z55Ws Mc2pPBroAgksK/IVx2S1Wl8edU++R31E1mQDFTUEL3e/EgEf78VfhYjyJdlhzKqXwORuzENsxO6 dbisWSdjANhedMg== X-Developer-Key: i=leitao@debian.org; a=openpgp; fpr=AC8539A6E8F46702CA4A439B35A3939FFC78776D The curr_xfer field is read by the IRQ handler without holding the lock to check if a transfer is in progress. When clearing curr_xfer in the combined sequence transfer loop, protect it with the spinlock to prevent a race with the interrupt handler. Protect the curr_xfer clearing at the exit path of tegra_qspi_combined_seq_xfer() with the spinlock to prevent a race with the interrupt handler that reads this field. Without this protection, the IRQ handler could read a partially updated curr_xfer value, leading to NULL pointer dereference or use-after-free. Fixes: b4e002d8a7ce ("spi: tegra210-quad: Fix timeout handling") Signed-off-by: Breno Leitao --- drivers/spi/spi-tegra210-quad.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/spi/spi-tegra210-quad.c b/drivers/spi/spi-tegra210-qua= d.c index 15c110c00aca..669e01d3f56a 100644 --- a/drivers/spi/spi-tegra210-quad.c +++ b/drivers/spi/spi-tegra210-quad.c @@ -1161,6 +1161,7 @@ static int tegra_qspi_combined_seq_xfer(struct tegra_= qspi *tqspi, u32 address_value =3D 0; u32 cmd_config =3D 0, addr_config =3D 0; u8 cmd_value =3D 0, val =3D 0; + unsigned long flags; =20 /* Enable Combined sequence mode */ val =3D tegra_qspi_readl(tqspi, QSPI_GLOBAL_CONFIG); @@ -1264,13 +1265,17 @@ static int tegra_qspi_combined_seq_xfer(struct tegr= a_qspi *tqspi, tegra_qspi_transfer_end(spi); spi_transfer_delay_exec(xfer); } + spin_lock_irqsave(&tqspi->lock, flags); tqspi->curr_xfer =3D NULL; + spin_unlock_irqrestore(&tqspi->lock, flags); transfer_phase++; } ret =3D 0; =20 exit: + spin_lock_irqsave(&tqspi->lock, flags); tqspi->curr_xfer =3D NULL; + spin_unlock_irqrestore(&tqspi->lock, flags); msg->status =3D ret; =20 return ret; --=20 2.47.3