From nobody Mon Jan 26 22:50:21 2026 Received: from stravinsky.debian.org (stravinsky.debian.org [82.195.75.108]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 53B993009D4; Mon, 26 Jan 2026 17:50:55 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=82.195.75.108 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1769449856; cv=none; b=ToAkc2TGZMIBl8Q7qU3m1LFwi6svIRR7KS2WZ9W8BsU/L7QbrjInHaEq0dreftGbvT4dpCka2i2wxt24awCQ2D8YiZrGsPsVG3+3aIwU+Cs6mEy/23cFien9o3mOgxlXxbxrq5hfmZShuoJ48AZHieBKCr2vBKyPEF9L+VlVwro= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1769449856; c=relaxed/simple; bh=u8osWnqm4Fzbf1671rwr9CIaGAGYnZg18KtK6a+DeD4=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=ZOXXd0oHIB/2Y3udVuC1LUF1RnKt4vKzb+cH9mkTPv/3187E19EtZWitUZf1myylxbw75T1MDn7p9sZKIHMvyrLNK/bAgccRDcbSPWrTDfcKdFoX3YjE1LclSzHUFS7ti9xsVQO1s0GNxvcTBsyH/t5DCdATJjZGDk267xruy7o= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=debian.org; spf=none smtp.mailfrom=debian.org; dkim=pass (2048-bit key) header.d=debian.org header.i=@debian.org header.b=eN05+p7N; arc=none smtp.client-ip=82.195.75.108 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=debian.org Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=debian.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=debian.org header.i=@debian.org header.b="eN05+p7N" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debian.org; s=smtpauto.stravinsky; h=X-Debian-User:Cc:To:In-Reply-To:References: Message-Id:Content-Transfer-Encoding:Content-Type:MIME-Version:Subject:Date: From:Reply-To:Content-ID:Content-Description; bh=HiQ/X63XB//SaCYFumcRm/UIBGFzLcRj6KzHW1F1Jow=; b=eN05+p7NnI7Xwf8v4/cg1TiN/7 Gbn08yJ/nQnY8At43elh2s6dqzgsEkILymVkTy/4hwE/U9ctw1ki0ITNlms5ZTknTp71SvrttCfAz liLcuQc2dnUTGrgt7NZwNVnOs70+gUlccZqqs6ZbCXal9SRvMFJi/0VFtyeAGc+1GKAeHA53DT8Vu vuNHCPYmN4GKll0jMjJWM1UZ+LmJT6oZL3UzKyXFU8pNZl+ii4Zpy+qd5upXYRIpZ8uutCiMY8P2K dRC2ZKWiNHMUVyxiZCFRKQU/SFWSlanbdUuCuPkYoTE+7JEkfJz0iazJkJN22Ga53n+h9xulG22KB HGpQme6w==; Received: from authenticated user by stravinsky.debian.org with esmtpsa (TLS1.3:ECDHE_X25519__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.94.2) (envelope-from ) id 1vkQji-00GLZ9-39; Mon, 26 Jan 2026 17:50:50 +0000 From: Breno Leitao Date: Mon, 26 Jan 2026 09:50:26 -0800 Subject: [PATCH v2 1/6] spi: tegra210-quad: Return IRQ_HANDLED when timeout already processed transfer Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260126-tegra_xfer-v2-1-6d2115e4f387@debian.org> References: <20260126-tegra_xfer-v2-0-6d2115e4f387@debian.org> In-Reply-To: <20260126-tegra_xfer-v2-0-6d2115e4f387@debian.org> To: Thierry Reding , Jonathan Hunter , Sowjanya Komatineni , Laxman Dewangan , Mark Brown , Vishwaroop A Cc: Thierry Reding , linux-tegra@vger.kernel.org, linux-spi@vger.kernel.org, linux-kernel@vger.kernel.org, Breno Leitao , kernel-team@meta.com, soto@nvidia.com X-Mailer: b4 0.15-dev-47773 X-Developer-Signature: v=1; a=openpgp-sha256; l=2297; i=leitao@debian.org; h=from:subject:message-id; bh=u8osWnqm4Fzbf1671rwr9CIaGAGYnZg18KtK6a+DeD4=; b=owEBbQKS/ZANAwAIATWjk5/8eHdtAcsmYgBpd6lvRJG84VHkqhFRCNeoUDT9DFSZ4N2VcriGG lZXZmpXgICJAjMEAAEIAB0WIQSshTmm6PRnAspKQ5s1o5Of/Hh3bQUCaXepbwAKCRA1o5Of/Hh3 bTF5D/99KGc9bLfLDzqU5Y6QN1IBDxP4S+a2zgf8le9q5JpD4dZ1/fKLad+y8r4Pu+Eiz/GN9kw mn8emwWpHbBq22HQFkHjc/cbmF4tRaD1wtzvfLMDiJZGtjWPTZ2U0QnrtOfPK9M0qggfZFFUD6K KU0cwhYVo54dobIwz+uJcUxbn1+as3VKgkWQW5cZMg16ob+56JHqMe05rNkpSF5U9EVU+ammBWj wgDjJMHlFY+NBsHr6byMrQQhEF5ZsyHTID4DLInc3eHJStyoeqMDfD2nLczg3QRF43lHJtL3/5X cE0yMktVr7TN5GTLWFLokdFmgccCn812aL2raZoYCeQPMwaBYnUJAkGhV7927ohvgyGEItwMzbE gkEkIGZlJkbhgKysv7nizEkn/UFCNzVT/yGfIUvcFT0nM1+JWU5fS0E7//+MX9rjZLLSGQ5vebE Ebkskk9nAa6PHmPdFAAjNYxN2qckwXfePH0bfJu9wwqiDPUhjVUQjgDHdG8Odyed1oarnK8hLqV RPzt+WC7R1dfDNAF4qfuzPgAKXULyn9cyd7WacuJEr4d0xvTVlae88zDwp2F9bWUtFpXZ/AC6oD 6cCfRmEC+CkUiH1mRYqGgyyXHPm5gkla0uLxCu+61g/jAJyKMMFJbzRUT8EFAn3Yit4yrzU3Mbj JqXclJ508ocinsw== X-Developer-Key: i=leitao@debian.org; a=openpgp; fpr=AC8539A6E8F46702CA4A439B35A3939FFC78776D X-Debian-User: leitao When the ISR thread wakes up late and finds that the timeout handler has already processed the transfer (curr_xfer is NULL), return IRQ_HANDLED instead of IRQ_NONE. Use a similar approach to tegra_qspi_handle_timeout() by reading QSPI_TRANS_STATUS and checking the QSPI_RDY bit to determine if the hardware actually completed the transfer. If QSPI_RDY is set, the interrupt was legitimate and triggered by real hardware activity. The fact that the timeout path handled it first doesn't make it spurious. Returning IRQ_NONE incorrectly suggests the interrupt wasn't for this device, which can cause issues with shared interrupt lines and interrupt accounting. Fixes: b4e002d8a7ce ("spi: tegra210-quad: Fix timeout handling") Signed-off-by: Breno Leitao --- drivers/spi/spi-tegra210-quad.c | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) diff --git a/drivers/spi/spi-tegra210-quad.c b/drivers/spi/spi-tegra210-qua= d.c index cdc3cb7c01f9b..f0408c0b4b981 100644 --- a/drivers/spi/spi-tegra210-quad.c +++ b/drivers/spi/spi-tegra210-quad.c @@ -1552,15 +1552,30 @@ static irqreturn_t handle_dma_based_xfer(struct teg= ra_qspi *tqspi) static irqreturn_t tegra_qspi_isr_thread(int irq, void *context_data) { struct tegra_qspi *tqspi =3D context_data; + u32 status; + + /* + * Read transfer status to check if interrupt was triggered by transfer + * completion + */ + status =3D tegra_qspi_readl(tqspi, QSPI_TRANS_STATUS); =20 /* * Occasionally the IRQ thread takes a long time to wake up (usually * when the CPU that it's running on is excessively busy) and we have * already reached the timeout before and cleaned up the timed out * transfer. Avoid any processing in that case and bail out early. + * + * If no transfer is in progress, check if this was a real interrupt + * that the timeout handler already processed, or a spurious one. */ - if (!tqspi->curr_xfer) - return IRQ_NONE; + if (!tqspi->curr_xfer) { + /* Spurious interrupt - transfer not ready */ + if (!(status & QSPI_RDY)) + return IRQ_NONE; + /* Real interrupt, already handled by timeout path */ + return IRQ_HANDLED; + } =20 tqspi->status_reg =3D tegra_qspi_readl(tqspi, QSPI_FIFO_STATUS); =20 --=20 2.47.3 From nobody Mon Jan 26 22:50:21 2026 Received: from stravinsky.debian.org (stravinsky.debian.org [82.195.75.108]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 65D342356D9; Mon, 26 Jan 2026 17:50:59 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=82.195.75.108 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1769449860; cv=none; b=Q49Q1BlqJUocaXsaolVmq3OnvFP2j8lUAXGJyuLkuQ53ryikT7r46geElJltBD5GLc5+9pHUfxbAB1lpJWPxLExGLjqE9+wCOkBUTFKze2rmNSCS5PXltrSAj4INQklYMj8OIOpO9ZdnoJxOYSKyfGpfYjAB8tnlevx1O6oZsS0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1769449860; c=relaxed/simple; bh=jhglVcCYKNk1yxuXd4lmljJAcYgPjLfokj86rWqQZXg=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=Hlvay0JlZNyt14pDisDsSr/PBgLnKtcTeOIAioJ6hCYa/jUyaXlhwXPwa7u1jNaJrUwXW1Ecr0zJ6doejeMfV4UQRYo6xbIJzoFJn/Y8UGO7uuhG8eoWWLZwytzAEglL4YwiQ7fEpZxkSAaYxls2Pz4opzfQfhmUmSv9uIRipHg= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=debian.org; spf=none smtp.mailfrom=debian.org; dkim=pass (2048-bit key) header.d=debian.org header.i=@debian.org header.b=m5bGaF4Y; arc=none smtp.client-ip=82.195.75.108 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=debian.org Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=debian.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=debian.org header.i=@debian.org header.b="m5bGaF4Y" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debian.org; s=smtpauto.stravinsky; h=X-Debian-User:Cc:To:In-Reply-To:References: Message-Id:Content-Transfer-Encoding:Content-Type:MIME-Version:Subject:Date: From:Reply-To:Content-ID:Content-Description; bh=KlzDJdzqhY36z/fITAC1mxUSIs0bgWkuhmstoha/ZOg=; b=m5bGaF4Y/70hlWvHvdRh1mFyVb PzGhFApBAPekp8VOSSZPu+Pqb4+O1/5Yt27xMCu75x/hVMw51E8uK3rKiydqZemauJVF8DY2MqxzR pHT8todRoiK8Z96doiIUs+GMEyDy5gV7HuvklB5VlRe7LUwYN2FPz9azADBrLKPeQIcTF3ZmdYsPH sRR/Ea7OUDQOncmXR9iej4cbtk57J7yQs8y/g5MgWmVBguFNcUwO2311kgnx5Iwhg2qyYPOXnVacZ XEQ4zpgQT9jEWpJAQncw9A07ML0GK1nAMjjavxdCCQ74leKJNaUQ9hFWDifApFI3WGVmnA3LgGcsQ 0EZDTttA==; Received: from authenticated user by stravinsky.debian.org with esmtpsa (TLS1.3:ECDHE_X25519__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.94.2) (envelope-from ) id 1vkQjm-00GLZH-KU; Mon, 26 Jan 2026 17:50:54 +0000 From: Breno Leitao Date: Mon, 26 Jan 2026 09:50:27 -0800 Subject: [PATCH v2 2/6] spi: tegra210-quad: Move curr_xfer read inside spinlock Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260126-tegra_xfer-v2-2-6d2115e4f387@debian.org> References: <20260126-tegra_xfer-v2-0-6d2115e4f387@debian.org> In-Reply-To: <20260126-tegra_xfer-v2-0-6d2115e4f387@debian.org> To: Thierry Reding , Jonathan Hunter , Sowjanya Komatineni , Laxman Dewangan , Mark Brown , Vishwaroop A Cc: Thierry Reding , linux-tegra@vger.kernel.org, linux-spi@vger.kernel.org, linux-kernel@vger.kernel.org, Breno Leitao , kernel-team@meta.com, soto@nvidia.com X-Mailer: b4 0.15-dev-47773 X-Developer-Signature: v=1; a=openpgp-sha256; l=1888; i=leitao@debian.org; h=from:subject:message-id; bh=jhglVcCYKNk1yxuXd4lmljJAcYgPjLfokj86rWqQZXg=; b=owEBbQKS/ZANAwAIATWjk5/8eHdtAcsmYgBpd6lvAd2TE5CEr+p+wM4p86h6527QDFlAkLeBo tvzAFaHZXSJAjMEAAEIAB0WIQSshTmm6PRnAspKQ5s1o5Of/Hh3bQUCaXepbwAKCRA1o5Of/Hh3 bdEtD/9SIUrlc+GG7KEEmOf2yLvKkQzbm7YA04bL+sUdaL+vVRhyd/BASfE1Rj1OydlnR3m4LSx o0qPZIaZ9vOvW6bPRLIFlB9eiffKjz22ll6KqIcgIA9Omybc+bF9xcVAZC0+LBnN595Ez3HDujx ZBx/7clH/78QRzqe1qzoYxtbw0fwcKt06T5T/1p1mnF42sASLb7uj/ADDurIMpE9HfKtepZVR6N KUEGX1h/a2W5fvG+4YmjTDtia1nd3nr5kdYU32irRouuxhX1QSQYTMkeXP9aEbR7uKwGeb7LZ5C XJ+nFrAyx3uB9btcaTgu58T05dPAWhDRIxOtoefd0yTNHFl/cIXg6d5XMrm+4tFI2K5h+ycnbM1 TN8S7a7TdFkRTUQAuZT64XIzEIyPrDzpNq0MdxvOL+fo7ykpB44Q0WkfF9FDN2WrMjB3k5oESYI I5G6vTygWAc8s7ySeFng4TjBAHEbDZCC3SKeaCdrwMTzDk9DrNJGKJpTqMFv369sSxXwyk1ADVc sWRghxJ33rrGpZ6bF9XLGbpb2giESMVhQx3L67nXoLAy4EKXWujK3nG1utxR8lAnJqHoJxfz2p7 CO7EFcVtOnI2VcwXcvoUJKbm46VAQkq2RndqlGUHo15srSDzMVBVqct9jMnj0FooX9fE8VOn8Bh ShVLduj+5/lhb0A== X-Developer-Key: i=leitao@debian.org; a=openpgp; fpr=AC8539A6E8F46702CA4A439B35A3939FFC78776D X-Debian-User: leitao Move the assignment of the transfer pointer from curr_xfer inside the spinlock critical section in both handle_cpu_based_xfer() and handle_dma_based_xfer(). Previously, curr_xfer was read before acquiring the lock, creating a window where the timeout path could clear curr_xfer between reading it and using it. By moving the read inside the lock, the handlers are guaranteed to see a consistent value that cannot be modified by the timeout path. Fixes: 921fc1838fb0 ("spi: tegra210-quad: Add support for Tegra210 QSPI con= troller") Signed-off-by: Breno Leitao --- drivers/spi/spi-tegra210-quad.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/drivers/spi/spi-tegra210-quad.c b/drivers/spi/spi-tegra210-qua= d.c index f0408c0b4b981..ee291b9e9e9c0 100644 --- a/drivers/spi/spi-tegra210-quad.c +++ b/drivers/spi/spi-tegra210-quad.c @@ -1440,10 +1440,11 @@ static int tegra_qspi_transfer_one_message(struct s= pi_controller *host, =20 static irqreturn_t handle_cpu_based_xfer(struct tegra_qspi *tqspi) { - struct spi_transfer *t =3D tqspi->curr_xfer; + struct spi_transfer *t; unsigned long flags; =20 spin_lock_irqsave(&tqspi->lock, flags); + t =3D tqspi->curr_xfer; =20 if (tqspi->tx_status || tqspi->rx_status) { tegra_qspi_handle_error(tqspi); @@ -1474,7 +1475,7 @@ static irqreturn_t handle_cpu_based_xfer(struct tegra= _qspi *tqspi) =20 static irqreturn_t handle_dma_based_xfer(struct tegra_qspi *tqspi) { - struct spi_transfer *t =3D tqspi->curr_xfer; + struct spi_transfer *t; unsigned int total_fifo_words; unsigned long flags; long wait_status; @@ -1513,6 +1514,7 @@ static irqreturn_t handle_dma_based_xfer(struct tegra= _qspi *tqspi) } =20 spin_lock_irqsave(&tqspi->lock, flags); + t =3D tqspi->curr_xfer; =20 if (num_errors) { tegra_qspi_dma_unmap_xfer(tqspi, t); --=20 2.47.3 From nobody Mon Jan 26 22:50:21 2026 Received: from stravinsky.debian.org (stravinsky.debian.org [82.195.75.108]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5F6322356D9; Mon, 26 Jan 2026 17:51:04 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=82.195.75.108 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1769449865; cv=none; b=UGOyz+40afXdHVrgBaJbtFAkzCyEckDY4KjTxWFeBs/AFk98moPKFYvjCponmDRBKcYskPhCEyoCz5qvctZqsAjK7DK6dVA4WiJ2LobswY5UUN3DakDuxL+BeK7myJt880FPummkeFdBympYdZfGaSwB271YxAYXVH1UDgbsbTQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1769449865; c=relaxed/simple; bh=H+Ndq8xyNh/axb2xX29smVYLN27vuMbWxkyvn8Sgxec=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=FaBpA0zQuQts1nswUWZWGY6aKcsVYRJ7hJpzPXx57Qb97W6q1shS0eKWbmMI7xCHobuNbYYYZiSYbCcvVCaoC0tKpVaEckf10/4sgVqXttopcbEeI26RxtLXda62m1PABl11DMmVStT5PKuN6jYAXUWUZpMXlLbCxdItAt3Hu1M= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=debian.org; spf=none smtp.mailfrom=debian.org; dkim=pass (2048-bit key) header.d=debian.org header.i=@debian.org header.b=V4XazW1K; arc=none smtp.client-ip=82.195.75.108 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=debian.org Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=debian.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=debian.org header.i=@debian.org header.b="V4XazW1K" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debian.org; s=smtpauto.stravinsky; h=X-Debian-User:Cc:To:In-Reply-To:References: Message-Id:Content-Transfer-Encoding:Content-Type:MIME-Version:Subject:Date: From:Reply-To:Content-ID:Content-Description; bh=v+IMqYPuPVmNe5aFHbSgO8W8b+6niWJ/Zo4VDfQC4bg=; b=V4XazW1KLpmcC0t8w6d7J5x6yl PXt2L0KHEVQ9XXLGBtxcvi8DIZCV1yuoy0yXfOba9ubkPjDoplgmfMbByDf6Fn16RTgiqNPjRtuHo 2oy2amFFPKOLvV4iejYUo0WrY6X/i0JzIebLSRTFa9YuhSn71wnJby9PBr7b8aLL7PdFlueGehExm 52F862dfsc7OqSg9s00+25tF4BeB6yaL253XWivpd6sGyuZOLbnB6WFDp6q1+JsyYzK5k4vBkjESt Fel3VOCKPdS505uZe/wweanj1q986XfnkFituu8Zr8v3Cry5Q1Vwi5Y6Qyp764TEbMh0EUfcO3P1Q A2Dy1QPw==; Received: from authenticated user by stravinsky.debian.org with esmtpsa (TLS1.3:ECDHE_X25519__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.94.2) (envelope-from ) id 1vkQjq-00GLZZ-LV; Mon, 26 Jan 2026 17:50:58 +0000 From: Breno Leitao Date: Mon, 26 Jan 2026 09:50:28 -0800 Subject: [PATCH v2 3/6] spi: tegra210-quad: Protect curr_xfer assignment in tegra_qspi_setup_transfer_one Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260126-tegra_xfer-v2-3-6d2115e4f387@debian.org> References: <20260126-tegra_xfer-v2-0-6d2115e4f387@debian.org> In-Reply-To: <20260126-tegra_xfer-v2-0-6d2115e4f387@debian.org> To: Thierry Reding , Jonathan Hunter , Sowjanya Komatineni , Laxman Dewangan , Mark Brown , Vishwaroop A Cc: Thierry Reding , linux-tegra@vger.kernel.org, linux-spi@vger.kernel.org, linux-kernel@vger.kernel.org, Breno Leitao , kernel-team@meta.com, soto@nvidia.com X-Mailer: b4 0.15-dev-47773 X-Developer-Signature: v=1; a=openpgp-sha256; l=1833; i=leitao@debian.org; h=from:subject:message-id; bh=H+Ndq8xyNh/axb2xX29smVYLN27vuMbWxkyvn8Sgxec=; b=owEBbQKS/ZANAwAIATWjk5/8eHdtAcsmYgBpd6lv++vxRUI/7L0769UMjw0LrUXjeKTwp9poi bCw3dkWb8OJAjMEAAEIAB0WIQSshTmm6PRnAspKQ5s1o5Of/Hh3bQUCaXepbwAKCRA1o5Of/Hh3 bTwAEACvSgM5hPznk65yYsApQqkFqZwojRsGbJSzueWu6kV2i9fSgOnUWAdLLkFCcAepVG1qFqY ipKpkLRinfOsBs4LHldFCw8gc7A73yeuwMljQG7wYF3Y+QEt5GsPt6uhLgxQwYyEoiioCaa0Tai wkkazvLmM4oDaKZY6xoL+11VMKi3vN6gLbWHxEzfjMV4gyJrRQGoCFdmV+WFcXbql4rLFN8hm4O YkbTDMFBVrV/4VfzP2ILHupF0wKOeYd6Upaac4ci8tJpcmctenNlQfQBzs/UerpMkY+PgCqoEMf 68+xvLbE6sPyo8X03XadIGBPD7H5jTXN9eJUUzxidUpc4jwYsIZQFhvgYa8JoG6crw/EgP8N4QE l2cBfpaa8dbeplP99WkljV25SQXabwPUU84k9vXWnmeDTYZ3GMTtqjXFq1Fn3JfxKD7zSyQCf+b PQySsTBFVg2RTArPepP3YnfHjt0J/lk2fb7+9wP8EABd1VqQwTSzx5PFeEB3AY+ls2SlDc3gdUv bgJOPgK4ah0Oh9uoq1sIr2Jmd3pNsgqq9HfmIombS2339sxBSdHMS0+UmMrOOmJzKndLD2W62cz ShwlIkciWPKBo5hIN+08eOZTpccX93q33lCz0IDXT8q1FvMPIGJ6Cg5aHlRhjuZ0saOuciPvy4b rLyaFPxqYMx/hdA== X-Developer-Key: i=leitao@debian.org; a=openpgp; fpr=AC8539A6E8F46702CA4A439B35A3939FFC78776D X-Debian-User: leitao When the timeout handler processes a completed transfer and signals completion, the transfer thread can immediately set up the next transfer and assign curr_xfer to point to it. If a delayed ISR from the previous transfer then runs, it checks if (!tqspi->curr_xfer) (currently without the lock also -- to be fixed soon) to detect stale interrupts, but this check passes because curr_xfer now points to the new transfer. The ISR then incorrectly processes the new transfer's context. Protect the curr_xfer assignment with the spinlock to ensure the ISR either sees NULL (and bails out) or sees the new value only after the assignment is complete. Fixes: 921fc1838fb0 ("spi: tegra210-quad: Add support for Tegra210 QSPI con= troller") Signed-off-by: Breno Leitao --- drivers/spi/spi-tegra210-quad.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/spi/spi-tegra210-quad.c b/drivers/spi/spi-tegra210-qua= d.c index ee291b9e9e9c0..15c110c00aca5 100644 --- a/drivers/spi/spi-tegra210-quad.c +++ b/drivers/spi/spi-tegra210-quad.c @@ -839,6 +839,7 @@ static u32 tegra_qspi_setup_transfer_one(struct spi_dev= ice *spi, struct spi_tran u32 command1, command2, speed =3D t->speed_hz; u8 bits_per_word =3D t->bits_per_word; u32 tx_tap =3D 0, rx_tap =3D 0; + unsigned long flags; int req_mode; =20 if (!has_acpi_companion(tqspi->dev) && speed !=3D tqspi->cur_speed) { @@ -846,10 +847,12 @@ static u32 tegra_qspi_setup_transfer_one(struct spi_d= evice *spi, struct spi_tran tqspi->cur_speed =3D speed; } =20 + spin_lock_irqsave(&tqspi->lock, flags); tqspi->cur_pos =3D 0; tqspi->cur_rx_pos =3D 0; tqspi->cur_tx_pos =3D 0; tqspi->curr_xfer =3D t; + spin_unlock_irqrestore(&tqspi->lock, flags); =20 if (is_first_of_msg) { tegra_qspi_mask_clear_irq(tqspi); --=20 2.47.3 From nobody Mon Jan 26 22:50:21 2026 Received: from stravinsky.debian.org (stravinsky.debian.org [82.195.75.108]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C92CC344D8E; Mon, 26 Jan 2026 17:51:07 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=82.195.75.108 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1769449869; cv=none; b=b+fv1wef5/ruOsJbKE+S6zBDA7WSXLU0SQcAZrfyBZKjcvbKLnJZGc6l9CR8CWCSX2qqFK2qzcrZRPi7/R903JoLG5EBAwYtSzi7aeraS79TERoWXrSjOXfB4yn/0cmxua7Z9Fu6TuyhFDuB5HwIcBGnRQsqcAKVxz5Un1pZ6Vk= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1769449869; c=relaxed/simple; bh=gHLJrmPDfIMrCZ7kw5VCcPkBEMeaARyKAbFX4qvq2nY=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=DElEv9sDSl2b2Q8vr1DBP9UYCBTgVc05LEz3D42YfU0BQswQaj3MosYVeJLLqE7IrWa5sbdtysf5UhYwggNRXt+WB+Bo25meFy7+rx7KM4yz70jGqEM6TPqshcbfsNWAiwMAuqzFKflkSZkeaRcURK1ttlla64KFaYC4Ok2rXrE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=debian.org; spf=none smtp.mailfrom=debian.org; dkim=pass (2048-bit key) header.d=debian.org header.i=@debian.org header.b=ZogrBOyY; arc=none smtp.client-ip=82.195.75.108 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=debian.org Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=debian.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=debian.org header.i=@debian.org header.b="ZogrBOyY" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debian.org; s=smtpauto.stravinsky; h=X-Debian-User:Cc:To:In-Reply-To:References: Message-Id:Content-Transfer-Encoding:Content-Type:MIME-Version:Subject:Date: From:Reply-To:Content-ID:Content-Description; bh=6paBiB9nG7TuXtwzMfi3/5mMZxX24GhX3FrplJJ1QsU=; b=ZogrBOyYoOWbb4QHO+I93abfjx Oe53rpb2mQeoCcGPGIBsnXAyXdTFKiwWiVOuS+BNA8kFIq5XFD8B0s55lZ3+Q94mFBIbSs0iOeB05 6tkQsCzbr0HMfoI98Dlt1wWlTqBLzFaDl/VFvX2wFJlCYZUglw6ggPftDiOrzlzmraZQgzH3C0Drj o/5x0Xe74xCrC6zN1O68DXUlmvOF28sKC+brIDiHNv2X0wtA19pibS2f0TaOzj3L/bGXsqVpCiu5s QrAeet2OWSUrTQX0x125PK//Cn0At+Q7SK1DGesNDcZRN0GvzU0eolZU5iDqhVw7w7UWOfQwZ5238 +oppfV4Q==; Received: from authenticated user by stravinsky.debian.org with esmtpsa (TLS1.3:ECDHE_X25519__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.94.2) (envelope-from ) id 1vkQju-00GLZu-Pl; Mon, 26 Jan 2026 17:51:03 +0000 From: Breno Leitao Date: Mon, 26 Jan 2026 09:50:29 -0800 Subject: [PATCH v2 4/6] spi: tegra210-quad: Protect curr_xfer in tegra_qspi_combined_seq_xfer Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260126-tegra_xfer-v2-4-6d2115e4f387@debian.org> References: <20260126-tegra_xfer-v2-0-6d2115e4f387@debian.org> In-Reply-To: <20260126-tegra_xfer-v2-0-6d2115e4f387@debian.org> To: Thierry Reding , Jonathan Hunter , Sowjanya Komatineni , Laxman Dewangan , Mark Brown , Vishwaroop A Cc: Thierry Reding , linux-tegra@vger.kernel.org, linux-spi@vger.kernel.org, linux-kernel@vger.kernel.org, Breno Leitao , kernel-team@meta.com, soto@nvidia.com X-Mailer: b4 0.15-dev-47773 X-Developer-Signature: v=1; a=openpgp-sha256; l=1797; i=leitao@debian.org; h=from:subject:message-id; bh=gHLJrmPDfIMrCZ7kw5VCcPkBEMeaARyKAbFX4qvq2nY=; b=owEBbQKS/ZANAwAIATWjk5/8eHdtAcsmYgBpd6lvH9rLSC5n3s9QXsBxWNyZH0Gh8vScBp28D rtmUsVWfhmJAjMEAAEIAB0WIQSshTmm6PRnAspKQ5s1o5Of/Hh3bQUCaXepbwAKCRA1o5Of/Hh3 bXjeD/wI/RV7L2Sx3FodUFoTYp2vBFjLazvIpEVPmNMNj370Dtvyc8hpSQzbf2nC0JWaguvlIpO ecZ00Wr7ERQEw1YyJ3mpUjPA/VfOKBxk2M1SnypMq4sEmRQaO6yGk6CPuIz+HVUSgiGge0sdL9N jWPcVACYKV6Brk3yJglhjoElRn3PIz4u5F8ftwL1RnHv0tuQeMBM0NxWohWj4cfL+ygj9UXCOfV L2LSdJgFrn6tHz9TvarBY0swKUgrrOMN/GNG2eM/axJwINKM4kYCLZzU8gjxtuO7BD1j02cHW7n r+ARh04PASOHlAm9yHI+f55OfwmOFQPv5Sm/5aNhfjKGz9xbFSQBVfbvOYMvJXOl0T+nzrXfhqP AVOh76TwWXLhZZU4b9hr1rCNQnYpSb/B1rW/416twkYWv6mJj/VLnNg7Iido4F0b6RjKxEfXJGQ rgfO6nQv2Ms1Mk42x9Z1BQVN0Lc92t/nphZGEshsSvn920yEkZXTQcZ5M18+y4MJ1qzqighmwYh DdN+25MC7Qv/qlyKx3ADJbDrv80lsPbEghfTUnsifOznnenyZC7UvovF/0L1UTLJ3nqVp8MtyER 5CTEm01ke1za+tzMRUaBejtfWvN0SDFTZgWoTRYc5djJAO8VROMFwthI3Dfmche6o8gEoO43384 DdgV0pbUqusq5mw== X-Developer-Key: i=leitao@debian.org; a=openpgp; fpr=AC8539A6E8F46702CA4A439B35A3939FFC78776D X-Debian-User: leitao The curr_xfer field is read by the IRQ handler without holding the lock to check if a transfer is in progress. When clearing curr_xfer in the combined sequence transfer loop, protect it with the spinlock to prevent a race with the interrupt handler. Protect the curr_xfer clearing at the exit path of tegra_qspi_combined_seq_xfer() with the spinlock to prevent a race with the interrupt handler that reads this field. Without this protection, the IRQ handler could read a partially updated curr_xfer value, leading to NULL pointer dereference or use-after-free. Fixes: b4e002d8a7ce ("spi: tegra210-quad: Fix timeout handling") Signed-off-by: Breno Leitao --- drivers/spi/spi-tegra210-quad.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/spi/spi-tegra210-quad.c b/drivers/spi/spi-tegra210-qua= d.c index 15c110c00aca5..669e01d3f56a6 100644 --- a/drivers/spi/spi-tegra210-quad.c +++ b/drivers/spi/spi-tegra210-quad.c @@ -1161,6 +1161,7 @@ static int tegra_qspi_combined_seq_xfer(struct tegra_= qspi *tqspi, u32 address_value =3D 0; u32 cmd_config =3D 0, addr_config =3D 0; u8 cmd_value =3D 0, val =3D 0; + unsigned long flags; =20 /* Enable Combined sequence mode */ val =3D tegra_qspi_readl(tqspi, QSPI_GLOBAL_CONFIG); @@ -1264,13 +1265,17 @@ static int tegra_qspi_combined_seq_xfer(struct tegr= a_qspi *tqspi, tegra_qspi_transfer_end(spi); spi_transfer_delay_exec(xfer); } + spin_lock_irqsave(&tqspi->lock, flags); tqspi->curr_xfer =3D NULL; + spin_unlock_irqrestore(&tqspi->lock, flags); transfer_phase++; } ret =3D 0; =20 exit: + spin_lock_irqsave(&tqspi->lock, flags); tqspi->curr_xfer =3D NULL; + spin_unlock_irqrestore(&tqspi->lock, flags); msg->status =3D ret; =20 return ret; --=20 2.47.3 From nobody Mon Jan 26 22:50:21 2026 Received: from stravinsky.debian.org (stravinsky.debian.org [82.195.75.108]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 144823446A9; Mon, 26 Jan 2026 17:51:11 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=82.195.75.108 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1769449874; cv=none; b=eD59x9V2Asz+5YhdMNKXhIN5VQe0vtOyTd9fwR/f2SUk6P8wu9OPBUgmTRyFSA6iEl4YY5JPfqxuH5dktvcmF0p3c0mgR9EHB2jvYq8uxNRwEAh7fgLfT8MrwwMXBiuRPnm5eLXmtYzqo1QlhA4SDQL+77pYHteqFu3VsBEMVXo= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1769449874; c=relaxed/simple; bh=oHsppgOVm1uTJGTIRuD2JidFIMjUWIGBXVikALrCcfw=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=EHOqBASIuZHWxGH3M/RLR9q41hTPWeS/yQt1HbusYCIbNPbn4tPKUrq+tu5NHoSJK32dKdPtILqB2IAxFWpkoxTykhGD+RCt6EJCtlo9mEtVnb4O7uo7OnZ3BnxZYx8APKCObb8XTUIS3yc7zAg0AB3TlG+fq3vlvjgufhFQK8o= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=debian.org; spf=none smtp.mailfrom=debian.org; dkim=pass (2048-bit key) header.d=debian.org header.i=@debian.org header.b=kHYCkL45; arc=none smtp.client-ip=82.195.75.108 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=debian.org Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=debian.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=debian.org header.i=@debian.org header.b="kHYCkL45" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debian.org; s=smtpauto.stravinsky; h=X-Debian-User:Cc:To:In-Reply-To:References: Message-Id:Content-Transfer-Encoding:Content-Type:MIME-Version:Subject:Date: From:Reply-To:Content-ID:Content-Description; bh=A059W1k9gqtnhjYsvn/29VQuXXtuzYg592TH9tdDDeU=; b=kHYCkL45uTnFoLwEXfyhsG9HoN KQXLQ1GNvnZUPy+GB/37t0qhNt7YX9N1eQOZkPKnCmz4yXEBNYkFffI+HFbi4oTReWi8BURq6GzPU TMQQecS9CgehCJi98j0RLvNIQ6C1tjk/xFQQnpzdOWEpv3B8ZDavxOuK8md7rCiaeMc6RRhbDrEFG FKtJd9R9U39o8k5mkFiCxaM4cl5hK1EFTUVjvwJiwb/LMxRbg1p0UueNDMEtJHXl0HliziHwdYHPH hb8+ZdM17HLU7jC51VOhDPKXPjDus7Igu7wt4szpPLrrCH/f2+SG290FsimcLm5z0PLtG9kxuePkx pc2HqWDQ==; Received: from authenticated user by stravinsky.debian.org with esmtpsa (TLS1.3:ECDHE_X25519__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.94.2) (envelope-from ) id 1vkQjy-00GLa5-UO; Mon, 26 Jan 2026 17:51:07 +0000 From: Breno Leitao Date: Mon, 26 Jan 2026 09:50:30 -0800 Subject: [PATCH v2 5/6] spi: tegra210-quad: Protect curr_xfer clearing in tegra_qspi_non_combined_seq_xfer Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260126-tegra_xfer-v2-5-6d2115e4f387@debian.org> References: <20260126-tegra_xfer-v2-0-6d2115e4f387@debian.org> In-Reply-To: <20260126-tegra_xfer-v2-0-6d2115e4f387@debian.org> To: Thierry Reding , Jonathan Hunter , Sowjanya Komatineni , Laxman Dewangan , Mark Brown , Vishwaroop A Cc: Thierry Reding , linux-tegra@vger.kernel.org, linux-spi@vger.kernel.org, linux-kernel@vger.kernel.org, Breno Leitao , kernel-team@meta.com, soto@nvidia.com X-Mailer: b4 0.15-dev-47773 X-Developer-Signature: v=1; a=openpgp-sha256; l=1210; i=leitao@debian.org; h=from:subject:message-id; bh=oHsppgOVm1uTJGTIRuD2JidFIMjUWIGBXVikALrCcfw=; b=owEBbQKS/ZANAwAIATWjk5/8eHdtAcsmYgBpd6lw4IyO5WLhLgQFIxTEp7sO2iQgN+Jc5Fz4M WldSlNb9AKJAjMEAAEIAB0WIQSshTmm6PRnAspKQ5s1o5Of/Hh3bQUCaXepcAAKCRA1o5Of/Hh3 bVOVEACubdmBK80ZMoxahwajHnER1gysKEgqeKLkoE5DuYDtqTls3F+6Dl7km9T5he/abdv/zny Nff38Ay3J80iBsncjCrSTJc7wzVg09jNwrqQX58ouPb6R/LwVsv6w7mfhaLsGJcv4Ms4MdaGAB2 GdkLofjofFF76QHIjSfGvbtALJez/fKm6ihad4EoHuWNIdiIM9R8MGSQF2Jvx970Vq8EK2Xhy0U SbAPSxcT+AuxfDSweOL8TPGWgVTD+B8sypDnZCBkxwlFdZ1/y2xy68HHR35mfJw4Tv/gg79lz/2 gdz0oTZpCCd9Rlmef89zItB5c9zz1Y48rjJpzJ2P+qP4WzB7Aqpy0YYh5QgEsvSYy7YBpFK4FwN o6zktX/TZCJql2KP8ouRNBJfYtznGbKti2scptFli7fO2A3I+D7B+dypAgfmRUTZNi8/gDXqHGv DrM9y0BKxH7pPz7ssMQ3Uhq9InvRiGhgaFUp0jqTvT2MlD+kIYKR72JpHOyBm97oY6p1k82kYEf FJtrlRHBA3QO+YL2KjvQ3c9Qvlc4sANh6VukShnVRnJ+HFdnJ29EbyPJzHE7q+bp36/uElZ0UOT g96+255XqVY65i2ab64TbjQ+hWrikh6ZejQvq1K+Yrfu2m/sf8r0PPmk7EnXc+RcidtcVgV4GVW FMiRN/8YdZ9E4Xg== X-Developer-Key: i=leitao@debian.org; a=openpgp; fpr=AC8539A6E8F46702CA4A439B35A3939FFC78776D X-Debian-User: leitao Protect the curr_xfer clearing in tegra_qspi_non_combined_seq_xfer() with the spinlock to prevent a race with the interrupt handler that reads this field to check if a transfer is in progress. Fixes: b4e002d8a7ce ("spi: tegra210-quad: Fix timeout handling") Signed-off-by: Breno Leitao --- drivers/spi/spi-tegra210-quad.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/spi/spi-tegra210-quad.c b/drivers/spi/spi-tegra210-qua= d.c index 669e01d3f56a6..79aeb80aa4a70 100644 --- a/drivers/spi/spi-tegra210-quad.c +++ b/drivers/spi/spi-tegra210-quad.c @@ -1288,6 +1288,7 @@ static int tegra_qspi_non_combined_seq_xfer(struct te= gra_qspi *tqspi, struct spi_transfer *transfer; bool is_first_msg =3D true; int ret =3D 0, val =3D 0; + unsigned long flags; =20 msg->status =3D 0; msg->actual_length =3D 0; @@ -1368,7 +1369,9 @@ static int tegra_qspi_non_combined_seq_xfer(struct te= gra_qspi *tqspi, msg->actual_length +=3D xfer->len + dummy_bytes; =20 complete_xfer: + spin_lock_irqsave(&tqspi->lock, flags); tqspi->curr_xfer =3D NULL; + spin_unlock_irqrestore(&tqspi->lock, flags); =20 if (ret < 0) { tegra_qspi_transfer_end(spi); --=20 2.47.3 From nobody Mon Jan 26 22:50:21 2026 Received: from stravinsky.debian.org (stravinsky.debian.org [82.195.75.108]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 36FD534D390; Mon, 26 Jan 2026 17:51:15 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=82.195.75.108 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1769449878; cv=none; b=NqtQJ0vmW5YLwMJ49eh8YJgdeWjgVn+FfnRjZ6nmBdhbCFJRzE1FBb1Jp8cdpHQNGvoW1xryqJTj202N/Vw16INvsfJeqk44HQ1FR1dWePaAHfDwSEsUjRBtTMqEXU0Fy7he563gNtfjI24FocsvT6KXQSIJzYef3tqFX+lkP9s= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1769449878; c=relaxed/simple; bh=Q81YilWbPLWtEp7yxcbHsFIR2jpqUv0EOpT10c6Xuvw=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=Fkw4IYpI3DjuUECv+9Fvkj45nRtL7Qq9UYe6k8O1xeOvg4z2wt3R5iH4DSi2jyMT5cNNBbZDgOwG4L1NNYzNZOzHnHW0ENDTSrRk3S3rNjJuv6rsssZO93e/3sDaNDrG4zs7efWskR3uPxi3wnHvKV0C75l7xHUDXqRX3EKyD+0= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=debian.org; spf=none smtp.mailfrom=debian.org; dkim=pass (2048-bit key) header.d=debian.org header.i=@debian.org header.b=bTTjio5d; arc=none smtp.client-ip=82.195.75.108 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=debian.org Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=debian.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=debian.org header.i=@debian.org header.b="bTTjio5d" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debian.org; s=smtpauto.stravinsky; h=X-Debian-User:Cc:To:In-Reply-To:References: Message-Id:Content-Transfer-Encoding:Content-Type:MIME-Version:Subject:Date: From:Reply-To:Content-ID:Content-Description; bh=enYJz9EqJNqwh5dKgF2h4XKb81SowoT5sujLs8RC+V0=; b=bTTjio5dME77OWNFHg6USruoPl JnexsRaW7BLdz3E78aYqKUgimrPvCMthau2UD406vU6FUV7H0EGLTemLBkNU+eyaoO9xforK/x5Y3 d5MYy5+gWoonb7EsMlJxUZ+ZB2hT66eeGEbZNvFjhMfhJJvGMpp2VINlGNo2VZIWI38PlsX1CAvVX ejkk1JgY7I+XjxNl5OZ79TQ5Hj0z76CIkhGdS/11LQs54X741tNCV7McKHY9qUZf9NVdGHsI51+5b 8rPJUtq5ZTu31HlF0En3vLcIbdT6Bz8sIcy+Xp9un7GIGcUdKTd3K/OOABwA0TI8VGwU+xQcRSBJJ GUpkgWXw==; Received: from authenticated user by stravinsky.debian.org with esmtpsa (TLS1.3:ECDHE_X25519__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.94.2) (envelope-from ) id 1vkQk3-00GLaL-35; Mon, 26 Jan 2026 17:51:11 +0000 From: Breno Leitao Date: Mon, 26 Jan 2026 09:50:31 -0800 Subject: [PATCH v2 6/6] spi: tegra210-quad: Protect curr_xfer check in IRQ handler Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260126-tegra_xfer-v2-6-6d2115e4f387@debian.org> References: <20260126-tegra_xfer-v2-0-6d2115e4f387@debian.org> In-Reply-To: <20260126-tegra_xfer-v2-0-6d2115e4f387@debian.org> To: Thierry Reding , Jonathan Hunter , Sowjanya Komatineni , Laxman Dewangan , Mark Brown , Vishwaroop A Cc: Thierry Reding , linux-tegra@vger.kernel.org, linux-spi@vger.kernel.org, linux-kernel@vger.kernel.org, Breno Leitao , kernel-team@meta.com, soto@nvidia.com X-Mailer: b4 0.15-dev-47773 X-Developer-Signature: v=1; a=openpgp-sha256; l=3702; i=leitao@debian.org; h=from:subject:message-id; bh=Q81YilWbPLWtEp7yxcbHsFIR2jpqUv0EOpT10c6Xuvw=; b=owEBbQKS/ZANAwAIATWjk5/8eHdtAcsmYgBpd6lwjTHBL+FKmdyD8HH3w4do+kkthCCuRqavw s31q5DOPu2JAjMEAAEIAB0WIQSshTmm6PRnAspKQ5s1o5Of/Hh3bQUCaXepcAAKCRA1o5Of/Hh3 bfhmD/9R5eTrEns8UylPi6v7RQAw26T2O58zpqjdgmQoLpXC0IZlJAqfRMDVUdWkQGmkWD/mLv9 he2Mj2QpIiF7UAK2j5oYfEUFKvF/Iu4fxIo5gIP0ht0RoVWF40Dkg68YiOncy15BG0kVECuQQCo x/9TYuV9qx3NVaKRBRHKZiAamx49HxmTQnNtBBtVZ3fg6Jjw6g1oDFC36T/FVlmkXm1YTlTrpA8 qFp3mxO6Kg8zp1o6dS0h8+a4zSPUxZqnutwzL1shGtOA4nOhRuBIFygW3Ta+ktJLX7uvZUHKtrc Ugxng45urOJoMg4ewHVDjcNAoi5EQ051+u0utqESzTv9Tl2zzQLsVabExEeBGVT5KYrOji/74ah /uL0IxWhZCjW0oVtDSlRa1kMmY8eRVlMB11JCA/U1mBZEiozXvK+sg9r3GDzOHi9MybZdonQ8cc pym2tFHq25TDPpf1XXqPmbdQccxmsO6pi4lFmfMNIRtIh0pf6ngdTZd0t3rJro366CFK5ZZimC+ PCev7pzjnnS6b80tqer2f+OkNxiRhJLoSPGtqhrJ/yi8bbtMLuYytmgZJmVWdYgy0/jvSpGvmki N9PUYIYn1SxVK9z5tLu6gEqvcJnoBdbeojlCPbgPRKfcuLb4U+9S0S6DwqWHw2OuLZ8rxxrTiaZ 0GkDpwwrrlSguvQ== X-Developer-Key: i=leitao@debian.org; a=openpgp; fpr=AC8539A6E8F46702CA4A439B35A3939FFC78776D X-Debian-User: leitao Now that all other accesses to curr_xfer are done under the lock, protect the curr_xfer NULL check in tegra_qspi_isr_thread() with the spinlock. Without this protection, the following race can occur: CPU0 (ISR thread) CPU1 (timeout path) ---------------- ------------------- if (!tqspi->curr_xfer) // sees non-NULL spin_lock() tqspi->curr_xfer =3D NULL spin_unlock() handle_*_xfer() spin_lock() t =3D tqspi->curr_xfer // NULL! ... t->len ... // NULL dereference! With this patch, all curr_xfer accesses are now properly synchronized. Although all accesses to curr_xfer are done under the lock, in tegra_qspi_isr_thread() it checks for NULL, releases the lock and reacquires it later in handle_cpu_based_xfer()/handle_dma_based_xfer(). There is a potential for an update in between, which could cause a NULL pointer dereference. To handle this, add a NULL check inside the handlers after acquiring the lock. This ensures that if the timeout path has already cleared curr_xfer, the handler will safely return without dereferencing the NULL pointer. Fixes: b4e002d8a7ce ("spi: tegra210-quad: Fix timeout handling") Signed-off-by: Breno Leitao --- drivers/spi/spi-tegra210-quad.c | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/drivers/spi/spi-tegra210-quad.c b/drivers/spi/spi-tegra210-qua= d.c index 79aeb80aa4a70..f425d62e0c276 100644 --- a/drivers/spi/spi-tegra210-quad.c +++ b/drivers/spi/spi-tegra210-quad.c @@ -1457,6 +1457,11 @@ static irqreturn_t handle_cpu_based_xfer(struct tegr= a_qspi *tqspi) spin_lock_irqsave(&tqspi->lock, flags); t =3D tqspi->curr_xfer; =20 + if (!t) { + spin_unlock_irqrestore(&tqspi->lock, flags); + return IRQ_HANDLED; + } + if (tqspi->tx_status || tqspi->rx_status) { tegra_qspi_handle_error(tqspi); complete(&tqspi->xfer_completion); @@ -1527,6 +1532,11 @@ static irqreturn_t handle_dma_based_xfer(struct tegr= a_qspi *tqspi) spin_lock_irqsave(&tqspi->lock, flags); t =3D tqspi->curr_xfer; =20 + if (!t) { + spin_unlock_irqrestore(&tqspi->lock, flags); + return IRQ_HANDLED; + } + if (num_errors) { tegra_qspi_dma_unmap_xfer(tqspi, t); tegra_qspi_handle_error(tqspi); @@ -1565,6 +1575,7 @@ static irqreturn_t handle_dma_based_xfer(struct tegra= _qspi *tqspi) static irqreturn_t tegra_qspi_isr_thread(int irq, void *context_data) { struct tegra_qspi *tqspi =3D context_data; + unsigned long flags; u32 status; =20 /* @@ -1582,7 +1593,9 @@ static irqreturn_t tegra_qspi_isr_thread(int irq, voi= d *context_data) * If no transfer is in progress, check if this was a real interrupt * that the timeout handler already processed, or a spurious one. */ + spin_lock_irqsave(&tqspi->lock, flags); if (!tqspi->curr_xfer) { + spin_unlock_irqrestore(&tqspi->lock, flags); /* Spurious interrupt - transfer not ready */ if (!(status & QSPI_RDY)) return IRQ_NONE; @@ -1599,7 +1612,14 @@ static irqreturn_t tegra_qspi_isr_thread(int irq, vo= id *context_data) tqspi->rx_status =3D tqspi->status_reg & (QSPI_RX_FIFO_OVF | QSPI_RX_FIF= O_UNF); =20 tegra_qspi_mask_clear_irq(tqspi); + spin_unlock_irqrestore(&tqspi->lock, flags); =20 + /* + * Lock is released here but handlers safely re-check curr_xfer under + * lock before dereferencing. + * DMA handler also needs to sleep in wait_for_completion_*(), which + * cannot be done while holding spinlock. + */ if (!tqspi->is_curr_dma_xfer) return handle_cpu_based_xfer(tqspi); =20 --=20 2.47.3