From nobody Mon Jun 15 06:29:39 2026 Received: from mx0b-0031df01.pphosted.com (mx0b-0031df01.pphosted.com [205.220.180.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0076233B96F for ; Wed, 8 Apr 2026 13:24:00 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=205.220.180.131 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775654642; cv=none; b=NF3spD+V6zdIwfC7hnX5O/IFe89SoYagCWIGLdIBVGKHtUHPTENer9T03hGWUn7ONfF1dUyDSUsZoeMO4tfGuZKywOEaBjORi7jUNRe9Z08w/dbVQVpZSW7RhJu6QaeFuP7wjKEowm4maHEsOmvvVcsLmNHptt66FSyRrdwRXe8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775654642; c=relaxed/simple; bh=KiQ/IrzzL3ANrzaJSdZoqPviRgQu2S3d/exNOFGp/DI=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:To:Cc; b=Q6lfVxY2I2DRmxBan6tUFKwom9FHLfFV1MKNubF/gLIt3hqOZqMS28Uqf0ffkxjGgwNrcF+Hl1gap9W2iQnFcTzSH42N1jDiu+0Ub0sCBDhmovI8QuQQB+POHbqjYdE8QwXgRsOIS2jkQ+t5RYFTTRpWBdZ8gmGJcAmPaEXlrX8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=oss.qualcomm.com; spf=pass smtp.mailfrom=oss.qualcomm.com; dkim=pass (2048-bit key) header.d=qualcomm.com header.i=@qualcomm.com header.b=GMbwE1Km; dkim=pass (2048-bit key) header.d=oss.qualcomm.com header.i=@oss.qualcomm.com header.b=G9lGATnq; arc=none smtp.client-ip=205.220.180.131 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=oss.qualcomm.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=oss.qualcomm.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=qualcomm.com header.i=@qualcomm.com header.b="GMbwE1Km"; dkim=pass (2048-bit key) header.d=oss.qualcomm.com header.i=@oss.qualcomm.com header.b="G9lGATnq" Received: from pps.filterd (m0279873.ppops.net [127.0.0.1]) by mx0a-0031df01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 638AwIZX072568 for ; Wed, 8 Apr 2026 13:24:00 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=qualcomm.com; h= cc:content-transfer-encoding:content-type:date:from:message-id :mime-version:subject:to; s=qcppdkim1; bh=seV0jNRW43BQy38HSt7co1 dbaDYjW5QgU3tBgjyLzOw=; b=GMbwE1Km9mHupd7kr6auukNY7wBhi2MMY/z+Zw kVu016DP8kYvBQvMaGm3pZPv8FFiHa4DnVoprync9Qi++cOYYvFXXobdwfGt9g1T 0/Meu7gKl8R5P4FbVdYSki2jiG6UqAqGO/o7DsdNsN3zMs9kbTjqOJ8jcqvAXc+n oH4/fXe4aEGXOswQ8qXuO8xM4vdOklEZo+egNDwclL78cXfP74RkRE/3W79YwjvK UYZYYbt9i2R6GSWCiPFyUjJVyXIlutJlZe2OVJVTSw3EZ/qLOqyc7gBPfCEiy23a 1j8V1O67/nnjBpnDBPRVx8NkNDcy0oiravg0HmJNM0sfNclA== Received: from mail-pj1-f70.google.com (mail-pj1-f70.google.com [209.85.216.70]) by mx0a-0031df01.pphosted.com (PPS) with ESMTPS id 4dd7sxbe89-1 (version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NOT) for ; Wed, 08 Apr 2026 13:23:59 +0000 (GMT) Received: by mail-pj1-f70.google.com with SMTP id 98e67ed59e1d1-35da99b90f6so6922688a91.1 for ; Wed, 08 Apr 2026 06:23:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oss.qualcomm.com; s=google; t=1775654639; x=1776259439; darn=vger.kernel.org; h=cc:to:message-id:content-transfer-encoding:mime-version:subject :date:from:from:to:cc:subject:date:message-id:reply-to; bh=seV0jNRW43BQy38HSt7co1dbaDYjW5QgU3tBgjyLzOw=; b=G9lGATnqNTjBuazOTFVXqQzslbtieDjwOgkHRD8E3BHIrwVOG0MqxOxaMSXwydQNYo FpZ2/ZeoDgHNJ7FySKybVnRfc97kNRb5eEHcQqtq1mZRszX0BdFyITmGb1o0Fw+EDQG6 elt8/inRX42XFwrSx9hSJNN5bc87Sb4hW4e7J22NpiS6+DoUhjESR823YQ14wAnBi5Qq hPqVjTT52gXnVGhGeUDk+FLeeE341Yrpvt6s6ss2clIFHKu7+QZIjoXPaXR9pvob7bwx bBr9UbwOShtW8hjms3D6EQ271K5rtZgoom1QnLI8l8mUdBMehljpItDlclCSS+b5SOQZ +J0g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1775654639; x=1776259439; h=cc:to:message-id:content-transfer-encoding:mime-version:subject :date:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=seV0jNRW43BQy38HSt7co1dbaDYjW5QgU3tBgjyLzOw=; b=A/D/6AKanI9FNeXdB9fLrtJU6w8oCac5rGkzamowtk5GWEcT0CaL6mbxtHBSMs1gAb IYjP9MclOR0xX53ZpLeJgm72vNEgCSsVLBka3oAkTGWy4ZAw9e1vfPs1o4O9d+PO/oL5 UtJlS9EhBNOqocf5Ewf2Aos/wTtDlGSW/gQ3aPbKAhMxcjEduHGcWDCGp1gSL7FiuWwp wsE7tPeN76YhJTjpE5h6fQd7g6xfmIB9WyZ68mWt0FVI3ImrFkxzuJWcRzHuYH4ay69s Z2bD1Z5asiVy2I1AJiAYaRp82DMPWdOjOp+itlWIVO5wUXc70jFt7vzgehsC/mOJbWgm yJwQ== X-Forwarded-Encrypted: i=1; AJvYcCW+eiC93cDzeVX9J8T71ekJK1HE5j2GUN5CSos+rE5+zNbsI7wJU+FVGtEudzmnI+irzBHvIjFzJCRAULI=@vger.kernel.org X-Gm-Message-State: AOJu0YyHBcb8XMTr9O4LwKAFrZ0zibz2TLUhCuJkkM/sc3rqTqCeSOz8 AQgPCzPh0Ua6fa+YcbjsUqTqRByLB1d9yiQ9sOMIcqLTiWIP6IShKaW/Dxpjc4a+MHmqAbjH5cT n5cSgyIGe5TlFKgE3KGT9/bZlVoguE+M5UGRsm6KrA+FMHXVi4MxwPPZptdSlmK8AJHBMbnSnXm CEKQ== X-Gm-Gg: AeBDieuWUQkGX7oZdAOVnDo+2YIWauv+cB96ALDzAU5SyZ+TAjUh/WyB53R8SbP6GKx N/PF/2ug1WcHI5+UQWonEgOHRy0r5ZIojRltBQ0vjTAUK18cWzk4HKF0w2TwC8XIdJYOMXdhgfg hnhCzhrUjFcjJA9thTStMZEm3ZcVsXT8GdY/iZImZRvZ2XY16BWrerIptazNK6yRNrESjT2dDR9 AajCS9XmeqDGtymCH6oWo/0/ZV1QMfQPDwqZZpmbHoU2p+zE6wn7npcNoE0f6QkqDYdfs6hsCet sW7XhiAxq0cyCXDGLaXc9Pwka+RpKN8uIhjf3PPRMMvZckCUrMqjCdVoLMubMsIA2lWQj+UxleQ AtYRarTf/4o1sNIy4LKV5VUz1fzu/iJe9ybVPYOYXepL2ajdCi1OWR5s9X38jRQhfOiLOyX5j3x T54CiPT6a5 X-Received: by 2002:a17:90b:4fc9:b0:35d:ac4d:3cb7 with SMTP id 98e67ed59e1d1-35de68417f5mr18906548a91.6.1775654638601; Wed, 08 Apr 2026 06:23:58 -0700 (PDT) X-Received: by 2002:a17:90b:4fc9:b0:35d:ac4d:3cb7 with SMTP id 98e67ed59e1d1-35de68417f5mr18906521a91.6.1775654638109; Wed, 08 Apr 2026 06:23:58 -0700 (PDT) Received: from jiegan-gv.ap.qualcomm.com (tpe-colo-wan-fw-bordernet.qualcomm.com. [103.229.16.4]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-35e289cb813sm1046347a91.14.2026.04.08.06.23.54 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 08 Apr 2026 06:23:57 -0700 (PDT) From: Jie Gan Date: Wed, 08 Apr 2026 21:23:44 +0800 Subject: [PATCH] coresight: tpda: fix race between refcnt check and register access Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260408-fix-race-condition-issue-v1-1-9a148d07e08f@oss.qualcomm.com> X-B4-Tracking: v=1; b=H4sIAOBW1mkC/x2MSQqAMAwAvyI5G6i1LvgV8aBt1FyqNCqC+HeDx 4GZeUAoMQl02QOJLhbeokKRZ+DXMS6EHJTBGlsbZ1qc+cY0ekK/xcCH6sgiJ2FwzprSVm5qG9B 8T6Tuv+6H9/0ATGpbKWoAAAA= To: Suzuki K Poulose , Mike Leach , James Clark , Leo Yan , Alexander Shishkin , Tingwei Zhang , Tao Zhang Cc: coresight@lists.linaro.org, linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org, Jie Gan X-Mailer: b4 0.14.0 X-Developer-Signature: v=1; a=ed25519-sha256; t=1775654634; l=4282; i=jie.gan@oss.qualcomm.com; s=20250909; h=from:subject:message-id; bh=KiQ/IrzzL3ANrzaJSdZoqPviRgQu2S3d/exNOFGp/DI=; b=jJ3QF/2Pjbwdo1DzYdwjHeSxd1oBs+phCjtMPF9PtPX4/IAvw4zeHE76qLpRReSv7qs7Mdefa 0l58cJcNP23Cq5hDrulgYCp/4luyMAQu7gafZyo6mAN2UHcRd5+3tOd X-Developer-Key: i=jie.gan@oss.qualcomm.com; a=ed25519; pk=3LxxUZRPCNkvPDlWOvXfJNqNO4SfGdy3eghMb8puHuk= X-Authority-Analysis: v=2.4 cv=etfvCIpX c=1 sm=1 tr=0 ts=69d656ef cx=c_pps a=0uOsjrqzRL749jD1oC5vDA==:117 a=nuhDOHQX5FNHPW3J6Bj6AA==:17 a=IkcTkHD0fZMA:10 a=A5OVakUREuEA:10 a=s4-Qcg_JpJYA:10 a=VkNPw1HP01LnGYTKEx00:22 a=u7WPNUs3qKkmUXheDGA7:22 a=rJkE3RaqiGZ5pbrm-msn:22 a=EUspDBNiAAAA:8 a=_RqGKq5OiZDgAwGmis0A:9 a=3ZKOabzyN94A:10 a=QEXdDO2ut3YA:10 a=mQ_c8vxmzFEMiUWkPHU9:22 X-Proofpoint-ORIG-GUID: MeLVx_GoaxvooYMGIcm45fs8AUTd_xNR X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwNDA4MDEyMyBTYWx0ZWRfX089YcIxMtrTl OSsWQUkqYxOldKVaeixPahTFnCX4igWjUD5aOoziCXoxnNVEWg6llxk7ndtHqPe3dx5veFsWKMU nhlQJf9P5hxlnNyJe/k5N/1KXMUtCUXONiFgKENvu4LkIK8XGwfMPiq901b96WcKvOcESS2SuHA NTcCXzuhrOemjQAVlMyKafwj5vAeuPKPChY+p/HIBzTuzyzaTWWiDwgmmZUUtWEBBHxFnmI22N8 vNtVfZKpy1CTKBRUzExC44aOmiEMP0aGW+VNoPhub5vwFTRsXtMXc4cgU3PoZWR61MjstdtbhAb uzo2/Q65LUCKFtKhx2vBa3C1vPW0jz2huooPaHh8sn55Bf3wnw2YD1lzSu4pbLBRr2ipx6nvjHB COnH8LEZLnOJaF+eHMo+wFcVOtqUJ5ddwRdNCzzEeTOE4x0x+FKaLvhTa4gHxP4jr0MqpqZYk6b J9zE8BoHThvYKo8TFYw== X-Proofpoint-GUID: MeLVx_GoaxvooYMGIcm45fs8AUTd_xNR X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-04-08_04,2026-04-08_01,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 lowpriorityscore=0 phishscore=0 bulkscore=0 impostorscore=0 suspectscore=0 spamscore=0 clxscore=1015 malwarescore=0 adultscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2604010000 definitions=main-2604080123 Several sysfs show/store handlers check csdev->refcnt before acquiring the spinlock, then access hardware registers inside the lock. This is a race: between the check and the lock acquisition, the following can occur on another CPU: CPU 0 (sysfs reader) CPU 1 (disable path) =E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80= =E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2= =94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94= =80=E2=94=80=E2=94=80=E2=94=80=E2=94=80 =E2=94=80=E2=94=80=E2=94=80=E2= =94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94= =80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80= =E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2= =94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80=E2=94=80 refcnt =3D=3D 1, check passes [waiting for spinlock] tpda_disable(): refcnt =E2=86=92 0 debug clock disabled spinlock acquired readl_relaxed() =E2=86=90 FAULT/hang tpda_disable() decrements csdev->refcnt under the same spinlock, so moving the refcnt check inside the lock closes the race. Fix all six affected sysfs handlers: global_flush_req_show/store, syncr_mode_show, syncr_count_show, and port_flush_req_show/store. Fixes: 8e1c358a3b0e ("coresight: tpda: add global_flush_req sysfs node") Fixes: 33f04ead7c49 ("coresight: tpda: add logic to configure TPDA_SYNCR re= gister") Fixes: a089d585a7f4 ("coresight: tpda: add sysfs node to flush specific por= t") Signed-off-by: Jie Gan Reviewed-by: James Clark --- drivers/hwtracing/coresight/coresight-tpda.c | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/drivers/hwtracing/coresight/coresight-tpda.c b/drivers/hwtraci= ng/coresight/coresight-tpda.c index 89c8f71f0aff..63a979312463 100644 --- a/drivers/hwtracing/coresight/coresight-tpda.c +++ b/drivers/hwtracing/coresight/coresight-tpda.c @@ -360,10 +360,10 @@ static ssize_t global_flush_req_show(struct device *d= ev, struct tpda_drvdata *drvdata =3D dev_get_drvdata(dev->parent); unsigned long val; =20 + guard(spinlock)(&drvdata->spinlock); if (!drvdata->csdev->refcnt) return -EINVAL; =20 - guard(spinlock)(&drvdata->spinlock); val =3D readl_relaxed(drvdata->base + TPDA_CR); /* read global_flush_req bit */ val &=3D TPDA_CR_FLREQ; @@ -382,10 +382,13 @@ static ssize_t global_flush_req_store(struct device *= dev, if (kstrtoul(buf, 0, &val)) return -EINVAL; =20 - if (!drvdata->csdev->refcnt || !val) + if (!val) return -EINVAL; =20 guard(spinlock)(&drvdata->spinlock); + if (!drvdata->csdev->refcnt) + return -EINVAL; + val =3D readl_relaxed(drvdata->base + TPDA_CR); /* set global_flush_req bit */ val |=3D TPDA_CR_FLREQ; @@ -404,10 +407,10 @@ static ssize_t syncr_mode_show(struct device *dev, struct tpda_drvdata *drvdata =3D dev_get_drvdata(dev->parent); unsigned long val, syncr_val; =20 + guard(spinlock)(&drvdata->spinlock); if (!drvdata->csdev->refcnt) return -EINVAL; =20 - guard(spinlock)(&drvdata->spinlock); syncr_val =3D readl_relaxed(drvdata->base + TPDA_SYNCR); val =3D FIELD_GET(TPDA_SYNCR_MODE_CTRL_MASK, syncr_val); =20 @@ -440,10 +443,10 @@ static ssize_t syncr_count_show(struct device *dev, struct tpda_drvdata *drvdata =3D dev_get_drvdata(dev->parent); unsigned long val; =20 + guard(spinlock)(&drvdata->spinlock); if (!drvdata->csdev->refcnt) return -EINVAL; =20 - guard(spinlock)(&drvdata->spinlock); val =3D readl_relaxed(drvdata->base + TPDA_SYNCR); val &=3D TPDA_SYNCR_COUNT_MASK; =20 @@ -478,10 +481,10 @@ static ssize_t port_flush_req_show(struct device *dev, struct tpda_drvdata *drvdata =3D dev_get_drvdata(dev->parent); unsigned long val; =20 + guard(spinlock)(&drvdata->spinlock); if (!drvdata->csdev->refcnt) return -EINVAL; =20 - guard(spinlock)(&drvdata->spinlock); val =3D readl_relaxed(drvdata->base + TPDA_FLUSH_CR); =20 return sysfs_emit(buf, "0x%lx\n", val); @@ -498,10 +501,13 @@ static ssize_t port_flush_req_store(struct device *de= v, if (kstrtou32(buf, 0, &val)) return -EINVAL; =20 - if (!drvdata->csdev->refcnt || !val) + if (!val) return -EINVAL; =20 guard(spinlock)(&drvdata->spinlock); + if (!drvdata->csdev->refcnt) + return -EINVAL; + CS_UNLOCK(drvdata->base); writel_relaxed(val, drvdata->base + TPDA_FLUSH_CR); CS_LOCK(drvdata->base); --- base-commit: f3e6330d7fe42b204af05a2dbc68b379e0ad179e change-id: 20260408-fix-race-condition-issue-d44203254b87 Best regards, --=20 Jie Gan