[PATCH] firewire: core: fix race condition against transaction list

public inbox for stable@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH] firewire: core: fix race condition against transaction list
@ 2026-01-27 22:34 Takashi Sakamoto
  2026-01-28 23:06 ` Takashi Sakamoto
  0 siblings, 1 reply; 2+ messages in thread
From: Takashi Sakamoto @ 2026-01-27 22:34 UTC (permalink / raw)
  To: linux1394-devel; +Cc: linux-kernel, stable, Andreas Persson

The list of transaction is enumerated without acquiring card lock when
processing AR response event. This causes a race condition bug when
processing AT request completion event concurrently.

This commit fixes the bug by put timer start for split transaction
expiration into the scope of lock. The value of jiffies in card structure
is referred before acquiring the lock.

Cc: stable@vger.kernel.org # v6.18
Fixes: b5725cfa4120 ("firewire: core: use spin lock specific to timer for split transaction")
Reported-by: Andreas Persson <andreasp56@outlook.com>
Closes: https://github.com/alsa-project/snd-firewire-ctl-services/issues/209
Tested-by: Andreas Persson <andreasp56@outlook.com>
Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
---
 drivers/firewire/core-transaction.c | 19 ++++++++++---------
 1 file changed, 10 insertions(+), 9 deletions(-)

diff --git a/drivers/firewire/core-transaction.c b/drivers/firewire/core-transaction.c
index 7fea11a5e359..22ae387ae03c 100644
--- a/drivers/firewire/core-transaction.c
+++ b/drivers/firewire/core-transaction.c
@@ -173,20 +173,14 @@ static void split_transaction_timeout_callback(struct timer_list *timer)
 	}
 }
 
-static void start_split_transaction_timeout(struct fw_transaction *t,
-					    struct fw_card *card)
+// card->transactions.lock should be acquired in advance for the linked list.
+static void start_split_transaction_timeout(struct fw_transaction *t, unsigned int delta)
 {
-	unsigned long delta;
-
 	if (list_empty(&t->link) || WARN_ON(t->is_split_transaction))
 		return;
 
 	t->is_split_transaction = true;
 
-	// NOTE: This can be without irqsave when we can guarantee that __fw_send_request() for
-	// local destination never runs in any type of IRQ context.
-	scoped_guard(spinlock_irqsave, &card->split_timeout.lock)
-		delta = card->split_timeout.jiffies;
 	mod_timer(&t->split_timeout_timer, jiffies + delta);
 }
 
@@ -207,13 +201,20 @@ static void transmit_complete_callback(struct fw_packet *packet,
 		break;
 	case ACK_PENDING:
 	{
+		unsigned int delta;
+
 		// NOTE: This can be without irqsave when we can guarantee that __fw_send_request() for
 		// local destination never runs in any type of IRQ context.
 		scoped_guard(spinlock_irqsave, &card->split_timeout.lock) {
 			t->split_timeout_cycle =
 				compute_split_timeout_timestamp(card, packet->timestamp) & 0xffff;
+			delta = card->split_timeout.jiffies;
 		}
-		start_split_transaction_timeout(t, card);
+
+		// NOTE: This can be without irqsave when we can guarantee that __fw_send_request() for
+		// local destination never runs in any type of IRQ context.
+		scoped_guard(spinlock_irqsave, &card->transactions.lock)
+			start_split_transaction_timeout(t, delta);
 		break;
 	}
 	case ACK_BUSY_X:

base-commit: 6b617317e5bc95e9962a712314ae0c4b7a4d5cc3
-- 
2.51.0


^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH] firewire: core: fix race condition against transaction list
  2026-01-27 22:34 [PATCH] firewire: core: fix race condition against transaction list Takashi Sakamoto
@ 2026-01-28 23:06 ` Takashi Sakamoto
  0 siblings, 0 replies; 2+ messages in thread
From: Takashi Sakamoto @ 2026-01-28 23:06 UTC (permalink / raw)
  To: linux1394-devel; +Cc: Andreas Persson, linux-kernel, stable

On Wed, Jan 28, 2026 at 07:34:13AM +0900, Takashi Sakamoto wrote:
> The list of transaction is enumerated without acquiring card lock when
> processing AR response event. This causes a race condition bug when
> processing AT request completion event concurrently.
> 
> This commit fixes the bug by put timer start for split transaction
> expiration into the scope of lock. The value of jiffies in card structure
> is referred before acquiring the lock.
> 
> Cc: stable@vger.kernel.org # v6.18
> Fixes: b5725cfa4120 ("firewire: core: use spin lock specific to timer for split transaction")
> Reported-by: Andreas Persson <andreasp56@outlook.com>
> Closes: https://github.com/alsa-project/snd-firewire-ctl-services/issues/209
> Tested-by: Andreas Persson <andreasp56@outlook.com>
> Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
> ---
>  drivers/firewire/core-transaction.c | 19 ++++++++++---------
>  1 file changed, 10 insertions(+), 9 deletions(-)

Applied to for-linus branch. I'll send it to mainline in this weekend in
time for v6.19-rc8 release.


Regards

Takashi Sakamoto

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2026-01-28 23:06 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-01-27 22:34 [PATCH] firewire: core: fix race condition against transaction list Takashi Sakamoto
2026-01-28 23:06 ` Takashi Sakamoto

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox