[PATCH 01/17] i3c: renesas: Check that the transfer is valid before accessing it

[PATCH 00/17] i3c: renesas: Suspend to RAM with power loss and runtime PM · Claudiu Beznea <claudiu.beznea@kernel.org> · 2026-05-22
[PATCH 01/17] i3c: renesas: Check that the transfer is valid before accessing it · Claudiu Beznea <claudiu.beznea@kernel.org> · 2026-05-22
Re: [PATCH 01/17] i3c: renesas: Check that the transfer is valid before accessing it · Frank Li <Frank.li@nxp.com> · 2026-05-22
[PATCH 02/17] i3c: renesas: Use the divider 128 · Claudiu Beznea <claudiu.beznea@kernel.org> · 2026-05-22
Re: [PATCH 02/17] i3c: renesas: Use the divider 128 · Frank Li <Frank.li@nxp.com> · 2026-05-22
Re: [PATCH 02/17] i3c: renesas: Use the divider 128 · Claudiu Beznea <claudiu.beznea@kernel.org> · 2026-05-23
[PATCH 03/17] i3c: renesas: Restore STDBR and EXTBR registers on resume · Claudiu Beznea <claudiu.beznea@kernel.org> · 2026-05-22
Re: [PATCH 03/17] i3c: renesas: Restore STDBR and EXTBR registers on resume · Frank Li <Frank.li@nxp.com> · 2026-05-22
[PATCH 04/17] i3c: renesas: Follow the reset deassert order used in probe · Claudiu Beznea <claudiu.beznea@kernel.org> · 2026-05-22
Re: [PATCH 04/17] i3c: renesas: Follow the reset deassert order used in probe · Frank Li <Frank.li@nxp.com> · 2026-05-22
[PATCH 05/17] i3c: renesas: Fix re-attach · Claudiu Beznea <claudiu.beznea@kernel.org> · 2026-05-22
Re: [PATCH 05/17] i3c: renesas: Fix re-attach · Frank Li <Frank.li@nxp.com> · 2026-05-22
[PATCH 06/17] i3c: renesas: Reset the controller on resume · Claudiu Beznea <claudiu.beznea@kernel.org> · 2026-05-22
Re: [PATCH 06/17] i3c: renesas: Reset the controller on resume · Frank Li <Frank.li@nxp.com> · 2026-05-22
Re: [PATCH 06/17] i3c: renesas: Reset the controller on resume · Claudiu Beznea <claudiu.beznea@kernel.org> · 2026-05-23
[PATCH 07/17] i3c: renesas: Perform Dynamic Address Assignment on resume · Claudiu Beznea <claudiu.beznea@kernel.org> · 2026-05-22
Re: [PATCH 07/17] i3c: renesas: Perform Dynamic Address Assignment on resume · Frank Li <Frank.li@nxp.com> · 2026-05-22
Re: [PATCH 07/17] i3c: renesas: Perform Dynamic Address Assignment on resume · Claudiu Beznea <claudiu.beznea@kernel.org> · 2026-05-23
[PATCH 08/17] i3c: renesas: Clean DATBAS register on detach · Claudiu Beznea <claudiu.beznea@kernel.org> · 2026-05-22
Re: [PATCH 08/17] i3c: renesas: Clean DATBAS register on detach · Frank Li <Frank.li@nxp.com> · 2026-05-22
[PATCH 09/17] i3c: renesas: Use reset_control_bulk_{assert, deassert}() · Claudiu Beznea <claudiu.beznea@kernel.org> · 2026-05-22
Re: [PATCH 09/17] i3c: renesas: Use reset_control_bulk_{assert, deassert}() · Frank Li <Frank.li@nxp.com> · 2026-05-22
Re: [PATCH 09/17] i3c: renesas: Use reset_control_bulk_{assert, deassert}() · Claudiu Beznea <claudiu.beznea@kernel.org> · 2026-05-23
[PATCH 10/17] i3c: renesas: Return immediately if there is nothing to transfer · Claudiu Beznea <claudiu.beznea@kernel.org> · 2026-05-22
Re: [PATCH 10/17] i3c: renesas: Return immediately if there is nothing to transfer · Frank Li <Frank.li@nxp.com> · 2026-05-22
[PATCH 11/17] i3c: renesas: Follow a unified pattern for transfer and command initialization · Claudiu Beznea <claudiu.beznea@kernel.org> · 2026-05-22
Re: [PATCH 11/17] i3c: renesas: Follow a unified pattern for transfer and command initialization · Frank Li <Frank.li@nxp.com> · 2026-05-22
[PATCH 12/17] i3c: renesas: Drop the explicit memset() call · Claudiu Beznea <claudiu.beznea@kernel.org> · 2026-05-22
Re: [PATCH 12/17] i3c: renesas: Drop the explicit memset() call · Frank Li <Frank.li@nxp.com> · 2026-05-22
[PATCH 13/17] i3c: renesas: Update HW registers after SW computations are done · Claudiu Beznea <claudiu.beznea@kernel.org> · 2026-05-22
Re: [PATCH 13/17] i3c: renesas: Update HW registers after SW computations are done · Frank Li <Frank.li@nxp.com> · 2026-05-22
[PATCH 14/17] i3c: renesas: Organize structures to avoid unnecessary padding · Claudiu Beznea <claudiu.beznea@kernel.org> · 2026-05-22
Re: [PATCH 14/17] i3c: renesas: Organize structures to avoid unnecessary padding · Frank Li <Frank.li@nxp.com> · 2026-05-22
[PATCH 15/17] i3c: renesas: Use the "dev_name:irq_name" format for the interrupt name · Claudiu Beznea <claudiu.beznea@kernel.org> · 2026-05-22
Re: [PATCH 15/17] i3c: renesas: Use the "dev_name:irq_name" format for the interrupt name · Frank Li <Frank.li@nxp.com> · 2026-05-22
[PATCH 16/17] i3c: renesas: Drop unnecessary tab · Claudiu Beznea <claudiu.beznea@kernel.org> · 2026-05-22
Re: [PATCH 16/17] i3c: renesas: Drop unnecessary tab · Frank Li <Frank.li@nxp.com> · 2026-05-22
[PATCH 17/17] i3c: renesas: Add runtime PM support · Claudiu Beznea <claudiu.beznea@kernel.org> · 2026-05-22
Re: [PATCH 17/17] i3c: renesas: Add runtime PM support · Frank Li <Frank.li@nxp.com> · 2026-05-22
Re: [PATCH 17/17] i3c: renesas: Add runtime PM support · Claudiu Beznea <claudiu.beznea@kernel.org> · 2026-05-23

From: Claudiu Beznea <claudiu.beznea@kernel.org>
Date: 2026-05-22 10:18:25
Also in: linux-renesas-soc, lkml, stable
Subsystem: i3c driver for renesas, i3c subsystem, the rest · Maintainers: Wolfram Sang, Tommaso Merciai, Alexandre Belloni, Linus Torvalds

From: Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com>

The Renesas I3C driver uses an asynchronous model to transfer data. It
prepares a struct renesas_i3c_xfer, enqueues it, and waits for completion.
The interrupt handler dequeues the transfer, updates/uses it, and signals
the waiting thread.

If the completion times out, the waiting thread dequeues the transfer and
free it. If an interrupt fires after that, the handler may access freed
memory, leading to crashes.

Check that the transfer is still valid before accessing it in the
interrupt handler.

Fixes: d028219a9f14 ("i3c: master: Add basic driver for the Renesas I3C controller")
Cc: stable@vger.kernel.org
Signed-off-by: Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com>
---
 drivers/i3c/master/renesas-i3c.c | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/drivers/i3c/master/renesas-i3c.c b/drivers/i3c/master/renesas-i3c.c
index f39c449922ca..36e3ccbe66b0 100644
--- a/drivers/i3c/master/renesas-i3c.c
+++ b/drivers/i3c/master/renesas-i3c.c

@@ -1014,6 +1014,9 @@ static irqreturn_t renesas_i3c_tx_isr(int irq, void *data)
 
 	scoped_guard(spinlock, &i3c->xferqueue.lock) {
 		xfer = i3c->xferqueue.cur;
+		if (!xfer)
+			return IRQ_HANDLED;
+
 		cmd = xfer->cmds;
 
 		if (xfer->is_i2c_xfer) {

@@ -1054,6 +1057,9 @@ static irqreturn_t renesas_i3c_resp_isr(int irq, void *data)
 
 	scoped_guard(spinlock, &i3c->xferqueue.lock) {
 		xfer = i3c->xferqueue.cur;
+		if (!xfer)
+			return IRQ_HANDLED;
+
 		cmd = xfer->cmds;
 
 		/* Clear the Respone Queue Full status flag*/

@@ -1138,6 +1144,9 @@ static irqreturn_t renesas_i3c_tend_isr(int irq, void *data)
 
 	scoped_guard(spinlock, &i3c->xferqueue.lock) {
 		xfer = i3c->xferqueue.cur;
+		if (!xfer)
+			return IRQ_HANDLED;
+
 		cmd = xfer->cmds;
 
 		if (xfer->is_i2c_xfer) {

@@ -1184,6 +1193,9 @@ static irqreturn_t renesas_i3c_rx_isr(int irq, void *data)
 
 	scoped_guard(spinlock, &i3c->xferqueue.lock) {
 		xfer = i3c->xferqueue.cur;
+		if (!xfer)
+			return IRQ_HANDLED;
+
 		cmd = xfer->cmds;
 
 		if (xfer->is_i2c_xfer) {

@@ -1235,6 +1247,8 @@ static irqreturn_t renesas_i3c_stop_isr(int irq, void *data)
 
 	scoped_guard(spinlock, &i3c->xferqueue.lock) {
 		xfer = i3c->xferqueue.cur;
+		if (!xfer)
+			return IRQ_HANDLED;
 
 		/* read back registers to confirm writes have fully propagated */
 		renesas_writel(i3c->regs, BST, 0);

@@ -1259,6 +1273,9 @@ static irqreturn_t renesas_i3c_start_isr(int irq, void *data)
 
 	scoped_guard(spinlock, &i3c->xferqueue.lock) {
 		xfer = i3c->xferqueue.cur;
+		if (!xfer)
+			return IRQ_HANDLED;
+
 		cmd = xfer->cmds;
 
 		if (xfer->is_i2c_xfer) {

-- 
2.43.0


-- 
linux-i3c mailing list
linux-i3c@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-i3c

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help