[PATCH -next] firmware: imx: se_ctrl: serialize command receiver registration

[Pankaj Gupta]

SE_IOCTL_ENABLE_CMD_RCV updates the global command receiver state in
priv->cmd_receiver_clbk_hdl, but it is currently protected only by the
per-file dev_ctx->fops_lock. Concurrent ioctl calls from different file
descriptors can therefore race and register multiple receivers against
the same priv instance.

Protect command receiver registration with priv->priv_dev_ctx->fops_lock,
which serializes access to the shared callback state.

Fixes: 3ae9dcce8400 ("firmware: drivers: imx: adds miscdev")
Reported-by: sashiko-bot <sashiko-bot@xxxxxxxxxx>
Closes: https://sashiko.dev/#/patchset/20260514090457.2186933-1-pankaj.gupta@xxxxxxx?part=1
Signed-off-by: Pankaj Gupta <pankaj.gupta@xxxxxxx>
---
 drivers/firmware/imx/se_ctrl.c | 21 +++++++++++----------
 1 file changed, 11 insertions(+), 10 deletions(-)

diff --git a/drivers/firmware/imx/se_ctrl.c b/drivers/firmware/imx/se_ctrl.c
index 995e2b5c2b05..2efeed180f2a 100644
--- a/drivers/firmware/imx/se_ctrl.c
+++ b/drivers/firmware/imx/se_ctrl.c
@@ -919,21 +919,22 @@ static long se_ioctl(struct file *fp, unsigned int cmd, unsigned long arg)
 	scoped_cond_guard(mutex_intr, return -EBUSY, &dev_ctx->fops_lock) {
 		switch (cmd) {
 		case SE_IOCTL_ENABLE_CMD_RCV:
-			if (!priv->cmd_receiver_clbk_hdl.dev_ctx) {
+			scoped_guard(mutex, &priv->priv_dev_ctx->fops_lock) {
+				if (priv->cmd_receiver_clbk_hdl.dev_ctx) {
+					err = -EBUSY;
+					goto out_enable_cmd_rcv;
+				}
+				priv->cmd_receiver_clbk_hdl.rx_msg =
+								kzalloc(MAX_NVM_MSG_LEN,
+									GFP_KERNEL);
 				if (!priv->cmd_receiver_clbk_hdl.rx_msg) {
-					priv->cmd_receiver_clbk_hdl.rx_msg =
-						kzalloc(MAX_NVM_MSG_LEN,
-							GFP_KERNEL);
-					if (!priv->cmd_receiver_clbk_hdl.rx_msg) {
-						err = -ENOMEM;
-						break;
-					}
+					err = -ENOMEM;
+					goto out_enable_cmd_rcv;
 				}
 				priv->cmd_receiver_clbk_hdl.rx_msg_sz = MAX_NVM_MSG_LEN;
 				priv->cmd_receiver_clbk_hdl.dev_ctx = dev_ctx;
 				err = 0;
-			} else {
-				err = -EBUSY;
+out_enable_cmd_rcv:
 			}
 			break;
 		case SE_IOCTL_GET_MU_INFO:
-- 
2.43.0