drivers/firmware/imx/se_ctrl.c | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-)
SE_IOCTL_ENABLE_CMD_RCV updates the global command receiver state in
priv->cmd_receiver_clbk_hdl, but it is currently protected only by the
per-file dev_ctx->fops_lock. Concurrent ioctl calls from different file
descriptors can therefore race and register multiple receivers against
the same priv instance.
Protect command receiver registration with priv->priv_dev_ctx->fops_lock,
which serializes access to the shared callback state.
Fixes: 3ae9dcce8400 ("firmware: drivers: imx: adds miscdev")
Reported-by: sashiko-bot <sashiko-bot@kernel.org>
Closes: https://sashiko.dev/#/patchset/20260514090457.2186933-1-pankaj.gupta@nxp.com?part=1
Signed-off-by: Pankaj Gupta <pankaj.gupta@nxp.com>
---
drivers/firmware/imx/se_ctrl.c | 21 +++++++++++----------
1 file changed, 11 insertions(+), 10 deletions(-)
diff --git a/drivers/firmware/imx/se_ctrl.c b/drivers/firmware/imx/se_ctrl.c
index 995e2b5c2b05..2efeed180f2a 100644
--- a/drivers/firmware/imx/se_ctrl.c
+++ b/drivers/firmware/imx/se_ctrl.c
@@ -919,21 +919,22 @@ static long se_ioctl(struct file *fp, unsigned int cmd, unsigned long arg)
scoped_cond_guard(mutex_intr, return -EBUSY, &dev_ctx->fops_lock) {
switch (cmd) {
case SE_IOCTL_ENABLE_CMD_RCV:
- if (!priv->cmd_receiver_clbk_hdl.dev_ctx) {
+ scoped_guard(mutex, &priv->priv_dev_ctx->fops_lock) {
+ if (priv->cmd_receiver_clbk_hdl.dev_ctx) {
+ err = -EBUSY;
+ goto out_enable_cmd_rcv;
+ }
+ priv->cmd_receiver_clbk_hdl.rx_msg =
+ kzalloc(MAX_NVM_MSG_LEN,
+ GFP_KERNEL);
if (!priv->cmd_receiver_clbk_hdl.rx_msg) {
- priv->cmd_receiver_clbk_hdl.rx_msg =
- kzalloc(MAX_NVM_MSG_LEN,
- GFP_KERNEL);
- if (!priv->cmd_receiver_clbk_hdl.rx_msg) {
- err = -ENOMEM;
- break;
- }
+ err = -ENOMEM;
+ goto out_enable_cmd_rcv;
}
priv->cmd_receiver_clbk_hdl.rx_msg_sz = MAX_NVM_MSG_LEN;
priv->cmd_receiver_clbk_hdl.dev_ctx = dev_ctx;
err = 0;
- } else {
- err = -EBUSY;
+out_enable_cmd_rcv:
}
break;
case SE_IOCTL_GET_MU_INFO:
--
2.43.0Hi Pankaj,
kernel test robot noticed the following build errors:
[auto build test ERROR on next-20260527]
url: https://github.com/intel-lab-lkp/linux/commits/Pankaj-Gupta/firmware-imx-se_ctrl-serialize-command-receiver-registration/20260528-172942
base: next-20260527
patch link: https://lore.kernel.org/r/20260528091634.3331090-1-pankaj.gupta%40nxp.com
patch subject: [PATCH -next] firmware: imx: se_ctrl: serialize command receiver registration
config: s390-randconfig-r121-20260529 (https://download.01.org/0day-ci/archive/20260529/202605291211.iAxyywQe-lkp@intel.com/config)
compiler: s390-linux-gcc (GCC) 8.5.0
sparse: v0.6.5-rc1
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20260529/202605291211.iAxyywQe-lkp@intel.com/reproduce)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202605291211.iAxyywQe-lkp@intel.com/
All errors (new ones prefixed by >>):
drivers/firmware/imx/se_ctrl.c: In function 'se_ioctl':
>> drivers/firmware/imx/se_ctrl.c:933:1: error: label at end of compound statement
out_enable_cmd_rcv:
^~~~~~~~~~~~~~~~~~
Kconfig warnings: (for reference only)
WARNING: unmet direct dependencies detected for MFD_STMFX
Depends on [n]: HAS_IOMEM [=y] && I2C [=y] && OF [=n]
Selected by [m]:
- PINCTRL_STMFX [=m] && PINCTRL [=y] && I2C [=y] && HAS_IOMEM [=y]
vim +933 drivers/firmware/imx/se_ctrl.c
905
906 /* IOCTL entry point of a character device */
907 static long se_ioctl(struct file *fp, unsigned int cmd, unsigned long arg)
908 {
909 struct se_if_device_ctx *dev_ctx = fp->private_data;
910 struct se_if_priv *priv = dev_ctx->priv;
911 void __user *uarg = (void __user *)arg;
912 long err;
913
914 /* Prevent race during change of device context */
915 scoped_cond_guard(mutex_intr, return -EBUSY, &dev_ctx->fops_lock) {
916 switch (cmd) {
917 case SE_IOCTL_ENABLE_CMD_RCV:
918 scoped_guard(mutex, &priv->priv_dev_ctx->fops_lock) {
919 if (priv->cmd_receiver_clbk_hdl.dev_ctx) {
920 err = -EBUSY;
921 goto out_enable_cmd_rcv;
922 }
923 priv->cmd_receiver_clbk_hdl.rx_msg =
924 kzalloc(MAX_NVM_MSG_LEN,
925 GFP_KERNEL);
926 if (!priv->cmd_receiver_clbk_hdl.rx_msg) {
927 err = -ENOMEM;
928 goto out_enable_cmd_rcv;
929 }
930 priv->cmd_receiver_clbk_hdl.rx_msg_sz = MAX_NVM_MSG_LEN;
931 priv->cmd_receiver_clbk_hdl.dev_ctx = dev_ctx;
932 err = 0;
> 933 out_enable_cmd_rcv:
934 }
935 break;
936 case SE_IOCTL_GET_MU_INFO:
937 err = se_ioctl_get_mu_info(dev_ctx, uarg);
938 break;
939 case SE_IOCTL_SETUP_IOBUF:
940 err = se_ioctl_setup_iobuf_handler(dev_ctx, uarg);
941 break;
942 case SE_IOCTL_GET_SOC_INFO:
943 err = se_ioctl_get_se_soc_info_handler(dev_ctx, uarg);
944 break;
945 case SE_IOCTL_CMD_SEND_RCV_RSP:
946 err = se_ioctl_cmd_snd_rcv_rsp_handler(dev_ctx, uarg);
947 break;
948 default:
949 err = -EINVAL;
950 dev_dbg(priv->dev, "%s: IOCTL %.8x not supported.",
951 dev_ctx->devname, cmd);
952 }
953 }
954
955 return err;
956 }
957
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
Hi Pankaj,
kernel test robot noticed the following build warnings:
[auto build test WARNING on next-20260527]
url: https://github.com/intel-lab-lkp/linux/commits/Pankaj-Gupta/firmware-imx-se_ctrl-serialize-command-receiver-registration/20260528-172942
base: next-20260527
patch link: https://lore.kernel.org/r/20260528091634.3331090-1-pankaj.gupta%40nxp.com
patch subject: [PATCH -next] firmware: imx: se_ctrl: serialize command receiver registration
config: arm64-allmodconfig (https://download.01.org/0day-ci/archive/20260529/202605291206.NC4J51NQ-lkp@intel.com/config)
compiler: clang version 19.1.7 (https://github.com/llvm/llvm-project cd708029e0b2869e80abe31ddb175f7c35361f90)
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20260529/202605291206.NC4J51NQ-lkp@intel.com/reproduce)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202605291206.NC4J51NQ-lkp@intel.com/
All warnings (new ones prefixed by >>):
drivers/firmware/imx/se_ctrl.c:673:16: warning: result of comparison of constant 18446744073709551608 with expression of type '__u32' (aka 'unsigned int') is always false [-Wtautological-constant-out-of-range-compare]
673 | if (io.length > SIZE_MAX - 7) {
| ~~~~~~~~~ ^ ~~~~~~~~~~~~
>> drivers/firmware/imx/se_ctrl.c:934:4: warning: label at end of compound statement is a C23 extension [-Wc23-extensions]
934 | }
| ^
2 warnings generated.
vim +934 drivers/firmware/imx/se_ctrl.c
3ae9dcce8400f0 Pankaj Gupta 2026-01-22 905
3ae9dcce8400f0 Pankaj Gupta 2026-01-22 906 /* IOCTL entry point of a character device */
3ae9dcce8400f0 Pankaj Gupta 2026-01-22 907 static long se_ioctl(struct file *fp, unsigned int cmd, unsigned long arg)
3ae9dcce8400f0 Pankaj Gupta 2026-01-22 908 {
3ae9dcce8400f0 Pankaj Gupta 2026-01-22 909 struct se_if_device_ctx *dev_ctx = fp->private_data;
3ae9dcce8400f0 Pankaj Gupta 2026-01-22 910 struct se_if_priv *priv = dev_ctx->priv;
3ae9dcce8400f0 Pankaj Gupta 2026-01-22 911 void __user *uarg = (void __user *)arg;
3ae9dcce8400f0 Pankaj Gupta 2026-01-22 912 long err;
3ae9dcce8400f0 Pankaj Gupta 2026-01-22 913
3ae9dcce8400f0 Pankaj Gupta 2026-01-22 914 /* Prevent race during change of device context */
3ae9dcce8400f0 Pankaj Gupta 2026-01-22 915 scoped_cond_guard(mutex_intr, return -EBUSY, &dev_ctx->fops_lock) {
3ae9dcce8400f0 Pankaj Gupta 2026-01-22 916 switch (cmd) {
3ae9dcce8400f0 Pankaj Gupta 2026-01-22 917 case SE_IOCTL_ENABLE_CMD_RCV:
8aff20bcff5290 Pankaj Gupta 2026-05-28 918 scoped_guard(mutex, &priv->priv_dev_ctx->fops_lock) {
8aff20bcff5290 Pankaj Gupta 2026-05-28 919 if (priv->cmd_receiver_clbk_hdl.dev_ctx) {
8aff20bcff5290 Pankaj Gupta 2026-05-28 920 err = -EBUSY;
8aff20bcff5290 Pankaj Gupta 2026-05-28 921 goto out_enable_cmd_rcv;
8aff20bcff5290 Pankaj Gupta 2026-05-28 922 }
3ae9dcce8400f0 Pankaj Gupta 2026-01-22 923 priv->cmd_receiver_clbk_hdl.rx_msg =
3ae9dcce8400f0 Pankaj Gupta 2026-01-22 924 kzalloc(MAX_NVM_MSG_LEN,
3ae9dcce8400f0 Pankaj Gupta 2026-01-22 925 GFP_KERNEL);
3ae9dcce8400f0 Pankaj Gupta 2026-01-22 926 if (!priv->cmd_receiver_clbk_hdl.rx_msg) {
3ae9dcce8400f0 Pankaj Gupta 2026-01-22 927 err = -ENOMEM;
8aff20bcff5290 Pankaj Gupta 2026-05-28 928 goto out_enable_cmd_rcv;
3ae9dcce8400f0 Pankaj Gupta 2026-01-22 929 }
3ae9dcce8400f0 Pankaj Gupta 2026-01-22 930 priv->cmd_receiver_clbk_hdl.rx_msg_sz = MAX_NVM_MSG_LEN;
3ae9dcce8400f0 Pankaj Gupta 2026-01-22 931 priv->cmd_receiver_clbk_hdl.dev_ctx = dev_ctx;
3ae9dcce8400f0 Pankaj Gupta 2026-01-22 932 err = 0;
8aff20bcff5290 Pankaj Gupta 2026-05-28 933 out_enable_cmd_rcv:
3ae9dcce8400f0 Pankaj Gupta 2026-01-22 @934 }
3ae9dcce8400f0 Pankaj Gupta 2026-01-22 935 break;
3ae9dcce8400f0 Pankaj Gupta 2026-01-22 936 case SE_IOCTL_GET_MU_INFO:
3ae9dcce8400f0 Pankaj Gupta 2026-01-22 937 err = se_ioctl_get_mu_info(dev_ctx, uarg);
3ae9dcce8400f0 Pankaj Gupta 2026-01-22 938 break;
3ae9dcce8400f0 Pankaj Gupta 2026-01-22 939 case SE_IOCTL_SETUP_IOBUF:
3ae9dcce8400f0 Pankaj Gupta 2026-01-22 940 err = se_ioctl_setup_iobuf_handler(dev_ctx, uarg);
3ae9dcce8400f0 Pankaj Gupta 2026-01-22 941 break;
3ae9dcce8400f0 Pankaj Gupta 2026-01-22 942 case SE_IOCTL_GET_SOC_INFO:
3ae9dcce8400f0 Pankaj Gupta 2026-01-22 943 err = se_ioctl_get_se_soc_info_handler(dev_ctx, uarg);
3ae9dcce8400f0 Pankaj Gupta 2026-01-22 944 break;
3ae9dcce8400f0 Pankaj Gupta 2026-01-22 945 case SE_IOCTL_CMD_SEND_RCV_RSP:
3ae9dcce8400f0 Pankaj Gupta 2026-01-22 946 err = se_ioctl_cmd_snd_rcv_rsp_handler(dev_ctx, uarg);
3ae9dcce8400f0 Pankaj Gupta 2026-01-22 947 break;
3ae9dcce8400f0 Pankaj Gupta 2026-01-22 948 default:
3ae9dcce8400f0 Pankaj Gupta 2026-01-22 949 err = -EINVAL;
3ae9dcce8400f0 Pankaj Gupta 2026-01-22 950 dev_dbg(priv->dev, "%s: IOCTL %.8x not supported.",
3ae9dcce8400f0 Pankaj Gupta 2026-01-22 951 dev_ctx->devname, cmd);
3ae9dcce8400f0 Pankaj Gupta 2026-01-22 952 }
3ae9dcce8400f0 Pankaj Gupta 2026-01-22 953 }
3ae9dcce8400f0 Pankaj Gupta 2026-01-22 954
3ae9dcce8400f0 Pankaj Gupta 2026-01-22 955 return err;
3ae9dcce8400f0 Pankaj Gupta 2026-01-22 956 }
3ae9dcce8400f0 Pankaj Gupta 2026-01-22 957
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
Hi Pankaj,
kernel test robot noticed the following build warnings:
[auto build test WARNING on next-20260527]
url: https://github.com/intel-lab-lkp/linux/commits/Pankaj-Gupta/firmware-imx-se_ctrl-serialize-command-receiver-registration/20260528-172942
base: next-20260527
patch link: https://lore.kernel.org/r/20260528091634.3331090-1-pankaj.gupta%40nxp.com
patch subject: [PATCH -next] firmware: imx: se_ctrl: serialize command receiver registration
config: hexagon-allmodconfig (https://download.01.org/0day-ci/archive/20260529/202605291047.TLJLq3sB-lkp@intel.com/config)
compiler: clang version 17.0.6 (https://github.com/llvm/llvm-project 6009708b4367171ccdbf4b5905cb6a803753fe18)
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20260529/202605291047.TLJLq3sB-lkp@intel.com/reproduce)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202605291047.TLJLq3sB-lkp@intel.com/
All warnings (new ones prefixed by >>):
>> drivers/firmware/imx/se_ctrl.c:934:4: warning: label at end of compound statement is a C2x extension [-Wc2x-extensions]
934 | }
| ^
1 warning generated.
vim +934 drivers/firmware/imx/se_ctrl.c
3ae9dcce8400f0a Pankaj Gupta 2026-01-22 905
3ae9dcce8400f0a Pankaj Gupta 2026-01-22 906 /* IOCTL entry point of a character device */
3ae9dcce8400f0a Pankaj Gupta 2026-01-22 907 static long se_ioctl(struct file *fp, unsigned int cmd, unsigned long arg)
3ae9dcce8400f0a Pankaj Gupta 2026-01-22 908 {
3ae9dcce8400f0a Pankaj Gupta 2026-01-22 909 struct se_if_device_ctx *dev_ctx = fp->private_data;
3ae9dcce8400f0a Pankaj Gupta 2026-01-22 910 struct se_if_priv *priv = dev_ctx->priv;
3ae9dcce8400f0a Pankaj Gupta 2026-01-22 911 void __user *uarg = (void __user *)arg;
3ae9dcce8400f0a Pankaj Gupta 2026-01-22 912 long err;
3ae9dcce8400f0a Pankaj Gupta 2026-01-22 913
3ae9dcce8400f0a Pankaj Gupta 2026-01-22 914 /* Prevent race during change of device context */
3ae9dcce8400f0a Pankaj Gupta 2026-01-22 915 scoped_cond_guard(mutex_intr, return -EBUSY, &dev_ctx->fops_lock) {
3ae9dcce8400f0a Pankaj Gupta 2026-01-22 916 switch (cmd) {
3ae9dcce8400f0a Pankaj Gupta 2026-01-22 917 case SE_IOCTL_ENABLE_CMD_RCV:
8aff20bcff52903 Pankaj Gupta 2026-05-28 918 scoped_guard(mutex, &priv->priv_dev_ctx->fops_lock) {
8aff20bcff52903 Pankaj Gupta 2026-05-28 919 if (priv->cmd_receiver_clbk_hdl.dev_ctx) {
8aff20bcff52903 Pankaj Gupta 2026-05-28 920 err = -EBUSY;
8aff20bcff52903 Pankaj Gupta 2026-05-28 921 goto out_enable_cmd_rcv;
8aff20bcff52903 Pankaj Gupta 2026-05-28 922 }
3ae9dcce8400f0a Pankaj Gupta 2026-01-22 923 priv->cmd_receiver_clbk_hdl.rx_msg =
3ae9dcce8400f0a Pankaj Gupta 2026-01-22 924 kzalloc(MAX_NVM_MSG_LEN,
3ae9dcce8400f0a Pankaj Gupta 2026-01-22 925 GFP_KERNEL);
3ae9dcce8400f0a Pankaj Gupta 2026-01-22 926 if (!priv->cmd_receiver_clbk_hdl.rx_msg) {
3ae9dcce8400f0a Pankaj Gupta 2026-01-22 927 err = -ENOMEM;
8aff20bcff52903 Pankaj Gupta 2026-05-28 928 goto out_enable_cmd_rcv;
3ae9dcce8400f0a Pankaj Gupta 2026-01-22 929 }
3ae9dcce8400f0a Pankaj Gupta 2026-01-22 930 priv->cmd_receiver_clbk_hdl.rx_msg_sz = MAX_NVM_MSG_LEN;
3ae9dcce8400f0a Pankaj Gupta 2026-01-22 931 priv->cmd_receiver_clbk_hdl.dev_ctx = dev_ctx;
3ae9dcce8400f0a Pankaj Gupta 2026-01-22 932 err = 0;
8aff20bcff52903 Pankaj Gupta 2026-05-28 933 out_enable_cmd_rcv:
3ae9dcce8400f0a Pankaj Gupta 2026-01-22 @934 }
3ae9dcce8400f0a Pankaj Gupta 2026-01-22 935 break;
3ae9dcce8400f0a Pankaj Gupta 2026-01-22 936 case SE_IOCTL_GET_MU_INFO:
3ae9dcce8400f0a Pankaj Gupta 2026-01-22 937 err = se_ioctl_get_mu_info(dev_ctx, uarg);
3ae9dcce8400f0a Pankaj Gupta 2026-01-22 938 break;
3ae9dcce8400f0a Pankaj Gupta 2026-01-22 939 case SE_IOCTL_SETUP_IOBUF:
3ae9dcce8400f0a Pankaj Gupta 2026-01-22 940 err = se_ioctl_setup_iobuf_handler(dev_ctx, uarg);
3ae9dcce8400f0a Pankaj Gupta 2026-01-22 941 break;
3ae9dcce8400f0a Pankaj Gupta 2026-01-22 942 case SE_IOCTL_GET_SOC_INFO:
3ae9dcce8400f0a Pankaj Gupta 2026-01-22 943 err = se_ioctl_get_se_soc_info_handler(dev_ctx, uarg);
3ae9dcce8400f0a Pankaj Gupta 2026-01-22 944 break;
3ae9dcce8400f0a Pankaj Gupta 2026-01-22 945 case SE_IOCTL_CMD_SEND_RCV_RSP:
3ae9dcce8400f0a Pankaj Gupta 2026-01-22 946 err = se_ioctl_cmd_snd_rcv_rsp_handler(dev_ctx, uarg);
3ae9dcce8400f0a Pankaj Gupta 2026-01-22 947 break;
3ae9dcce8400f0a Pankaj Gupta 2026-01-22 948 default:
3ae9dcce8400f0a Pankaj Gupta 2026-01-22 949 err = -EINVAL;
3ae9dcce8400f0a Pankaj Gupta 2026-01-22 950 dev_dbg(priv->dev, "%s: IOCTL %.8x not supported.",
3ae9dcce8400f0a Pankaj Gupta 2026-01-22 951 dev_ctx->devname, cmd);
3ae9dcce8400f0a Pankaj Gupta 2026-01-22 952 }
3ae9dcce8400f0a Pankaj Gupta 2026-01-22 953 }
3ae9dcce8400f0a Pankaj Gupta 2026-01-22 954
3ae9dcce8400f0a Pankaj Gupta 2026-01-22 955 return err;
3ae9dcce8400f0a Pankaj Gupta 2026-01-22 956 }
3ae9dcce8400f0a Pankaj Gupta 2026-01-22 957
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
© 2016 - 2026 Red Hat, Inc.