From nobody Mon Feb 9 09:54:10 2026 Received: from fout-b4-smtp.messagingengine.com (fout-b4-smtp.messagingengine.com [202.12.124.147]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4A71E139579; Tue, 27 Jan 2026 22:34:18 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=202.12.124.147 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1769553261; cv=none; b=Wcc39R5lKOOXXbD+HrCORWiyg66bFgLLCTXtXVnHvPofJV4oqP1xm0jNAhUJNNALe2RuAQr87Xf5rzNK5ff6pVncQEpbYSyDP7yJbE2WMSd+h3ZJbx4tCdJoD4EHvgxRZ2/CDTTkeiiefOQeTvj22OIXKERfadGCqGchOM5M7co= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1769553261; c=relaxed/simple; bh=H8H6FtEovmDTj3VEtMuO2YPLy0LbX/TUyKYkc+sm5iQ=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=blqgT5THRdU42Z/RuYcH2qgYMzqch918ia54gGl49NuoGAnopPAOLqD6paPLSFwMazwiCOPWfmM6StEeSCHavceO6anVHaM2ZUsTjfnhdLPhHQY2PVVm6IuDxFuezpxJmnYrx8G5J8+zfXk2+xxVSekCCELLW4/AwBFnP/dqITI= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=sakamocchi.jp; spf=pass smtp.mailfrom=sakamocchi.jp; dkim=pass (2048-bit key) header.d=sakamocchi.jp header.i=@sakamocchi.jp header.b=H/UI+WBj; dkim=pass (2048-bit key) header.d=messagingengine.com header.i=@messagingengine.com header.b=mLx0Fc1s; arc=none smtp.client-ip=202.12.124.147 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=sakamocchi.jp Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=sakamocchi.jp Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=sakamocchi.jp header.i=@sakamocchi.jp header.b="H/UI+WBj"; dkim=pass (2048-bit key) header.d=messagingengine.com header.i=@messagingengine.com header.b="mLx0Fc1s" Received: from phl-compute-03.internal (phl-compute-03.internal [10.202.2.43]) by mailfout.stl.internal (Postfix) with ESMTP id 50B181D00113; Tue, 27 Jan 2026 17:34:18 -0500 (EST) Received: from phl-frontend-03 ([10.202.2.162]) by phl-compute-03.internal (MEProxy); Tue, 27 Jan 2026 17:34:18 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakamocchi.jp; h=cc:cc:content-transfer-encoding:content-type:date:date:from :from:in-reply-to:message-id:mime-version:reply-to:subject :subject:to:to; s=fm2; t=1769553258; x=1769639658; bh=ZLdnLf5vx9 xJmO7CqVhMxoDPL4AY1OQZUyB28WIUVJo=; b=H/UI+WBjdItgV5ZiuckV7xgect keUWXSfHbwRnRoygu1mgLOnKMz2HadCL2zRNfU0MJbKvBZNNqO2saaytLUzCs4US cS9XysTnKTHQ30pGl+BhwN/TJIw6RZwqp/d2qOyOzp4+2XHglNLrTmyBpPF2rqJC 1e5IEJEbTw8ljOhaCGpJaH5Hx/j5mqsglJUTvPX1++1+P6tP7Rpni+zR2RFyD/Ee mxk2wovZqvrXl5HioALQ/fPs7+C/VmDpt+Y5lAHnxeGdS8RVmXlZm3oxd5QVNgUP jNavHy8GPlgVChUlxz0KwW1UwISev3e3XQAqY/MA2NaObZzEYo/uMOrc2d+Q== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:date:date:feedback-id:feedback-id:from:from :in-reply-to:message-id:mime-version:reply-to:subject:subject:to :to:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; t= 1769553258; x=1769639658; bh=ZLdnLf5vx9xJmO7CqVhMxoDPL4AY1OQZUyB 28WIUVJo=; b=mLx0Fc1shEw4nVIDALO1ARM+g9zH435GYcKJ8LHSriHPknuP1Fq UzcpQL4U8LyqhBSgNht50TQyuSD+esUw7wvKD57GVOUlTWpHFfTVnpuGZmNxa9K2 RATUYH4Og6SGtrFpVpGWzK+CmFH1VQMu+glacDw5oZnSWa512VbltCN68Xykf6P4 BhETU/b+aN9LuFlLJS9d2MWKKfcMv9pLNP4rGt7KvklH9YmTRgLgR8A4P/LCmGy2 BboyMMrxYmDpQsiWio8Lob4TcH8xr3bLBLu29tWUeT4awRDYYR+6tAQXpoOY9wmW 15C71hNmT7eT5J9qy3mCzXoh/kRODHGGmzg== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeefgedrtddtgdduiedujeduucetufdoteggodetrf dotffvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfurfetoffkrfgpnffqhgenuceu rghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmnecujf gurhephffvvefufffkofgggfestdekredtredttdenucfhrhhomhepvfgrkhgrshhhihcu ufgrkhgrmhhothhouceoohdqthgrkhgrshhhihesshgrkhgrmhhotggthhhirdhjpheqne cuggftrfgrthhtvghrnhepkeevteefgeduheffudfgtedvuedvjeeviedvfeelgedvtdeh tedvjefggedvtdeunecuffhomhgrihhnpehgihhthhhusgdrtghomhenucevlhhushhtvg hrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehoqdhtrghkrghshhhisehs rghkrghmohgttghhihdrjhhppdhnsggprhgtphhtthhopeegpdhmohguvgepshhmthhpoh huthdprhgtphhtthhopehlihhnuhigudefleegqdguvghvvghlsehlihhsthhsrdhsohhu rhgtvghfohhrghgvrdhnvghtpdhrtghpthhtoheplhhinhhugidqkhgvrhhnvghlsehvgh gvrhdrkhgvrhhnvghlrdhorhhgpdhrtghpthhtohepshhtrggslhgvsehvghgvrhdrkhgv rhhnvghlrdhorhhgpdhrtghpthhtoheprghnughrvggrshhpheeisehouhhtlhhoohhkrd gtohhm X-ME-Proxy: Feedback-ID: ie8e14432:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Tue, 27 Jan 2026 17:34:16 -0500 (EST) From: Takashi Sakamoto To: linux1394-devel@lists.sourceforge.net Cc: linux-kernel@vger.kernel.org, stable@vger.kernel.org, Andreas Persson Subject: [PATCH] firewire: core: fix race condition against transaction list Date: Wed, 28 Jan 2026 07:34:13 +0900 Message-ID: <20260127223413.22265-1-o-takashi@sakamocchi.jp> X-Mailer: git-send-email 2.51.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" The list of transaction is enumerated without acquiring card lock when processing AR response event. This causes a race condition bug when processing AT request completion event concurrently. This commit fixes the bug by put timer start for split transaction expiration into the scope of lock. The value of jiffies in card structure is referred before acquiring the lock. Cc: stable@vger.kernel.org # v6.18 Fixes: b5725cfa4120 ("firewire: core: use spin lock specific to timer for s= plit transaction") Reported-by: Andreas Persson Closes: https://github.com/alsa-project/snd-firewire-ctl-services/issues/209 Tested-by: Andreas Persson Signed-off-by: Takashi Sakamoto --- drivers/firewire/core-transaction.c | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/drivers/firewire/core-transaction.c b/drivers/firewire/core-tr= ansaction.c index 7fea11a5e359..22ae387ae03c 100644 --- a/drivers/firewire/core-transaction.c +++ b/drivers/firewire/core-transaction.c @@ -173,20 +173,14 @@ static void split_transaction_timeout_callback(struct= timer_list *timer) } } =20 -static void start_split_transaction_timeout(struct fw_transaction *t, - struct fw_card *card) +// card->transactions.lock should be acquired in advance for the linked li= st. +static void start_split_transaction_timeout(struct fw_transaction *t, unsi= gned int delta) { - unsigned long delta; - if (list_empty(&t->link) || WARN_ON(t->is_split_transaction)) return; =20 t->is_split_transaction =3D true; =20 - // NOTE: This can be without irqsave when we can guarantee that __fw_send= _request() for - // local destination never runs in any type of IRQ context. - scoped_guard(spinlock_irqsave, &card->split_timeout.lock) - delta =3D card->split_timeout.jiffies; mod_timer(&t->split_timeout_timer, jiffies + delta); } =20 @@ -207,13 +201,20 @@ static void transmit_complete_callback(struct fw_pack= et *packet, break; case ACK_PENDING: { + unsigned int delta; + // NOTE: This can be without irqsave when we can guarantee that __fw_sen= d_request() for // local destination never runs in any type of IRQ context. scoped_guard(spinlock_irqsave, &card->split_timeout.lock) { t->split_timeout_cycle =3D compute_split_timeout_timestamp(card, packet->timestamp) & 0xffff; + delta =3D card->split_timeout.jiffies; } - start_split_transaction_timeout(t, card); + + // NOTE: This can be without irqsave when we can guarantee that __fw_sen= d_request() for + // local destination never runs in any type of IRQ context. + scoped_guard(spinlock_irqsave, &card->transactions.lock) + start_split_transaction_timeout(t, delta); break; } case ACK_BUSY_X: base-commit: 6b617317e5bc95e9962a712314ae0c4b7a4d5cc3 --=20 2.51.0