[PATCH v2 01/17] i3c: renesas: Check that the transfer is valid before accessing it
From: Claudiu Beznea
Date: Tue Jun 02 2026 - 09:29:04 EST
From: Claudiu Beznea <claudiu.beznea.uj@xxxxxxxxxxxxxx>
The Renesas I3C driver uses an asynchronous model to transfer data. It
prepares a struct renesas_i3c_xfer, enqueues it, and waits for completion.
The interrupt handler dequeues the transfer, updates/uses it, and signals
the waiting thread.
If the completion times out, the waiting thread dequeues the transfer and
free it. If an interrupt fires after that, the handler may access freed
memory, leading to crashes.
Check that the transfer is still valid before accessing it in the
interrupt handler. Along with it, clear any status flag to avoid
triggering the same interrupts again.
Fixes: d028219a9f14 ("i3c: master: Add basic driver for the Renesas I3C controller")
Cc: stable@xxxxxxxxxxxxxxx
Reviewed-by: Frank Li <Frank.Li@xxxxxxx>
Signed-off-by: Claudiu Beznea <claudiu.beznea.uj@xxxxxxxxxxxxxx>
---
Changes in v2:
- clean the IRQ status bits before returning IRQ_HANDLED and adjusted the
patch description to reflect this change
- collected Frank's tag. Frank, please let me know if you consider
I should drop your tag. Thanks!
drivers/i3c/master/renesas-i3c.c | 44 +++++++++++++++++++++++++++++---
1 file changed, 41 insertions(+), 3 deletions(-)
diff --git a/drivers/i3c/master/renesas-i3c.c b/drivers/i3c/master/renesas-i3c.c
index f39c449922ca..6e7ece2e0b4e 100644
--- a/drivers/i3c/master/renesas-i3c.c
+++ b/drivers/i3c/master/renesas-i3c.c
@@ -1014,6 +1014,12 @@ static irqreturn_t renesas_i3c_tx_isr(int irq, void *data)
scoped_guard(spinlock, &i3c->xferqueue.lock) {
xfer = i3c->xferqueue.cur;
+ if (!xfer) {
+ /* Clear the Transmit Buffer Empty status flag. */
+ renesas_clear_bit(i3c->regs, NTST, NTST_TDBEF0);
+ return IRQ_HANDLED;
+ }
+
cmd = xfer->cmds;
if (xfer->is_i2c_xfer) {
@@ -1053,11 +1059,18 @@ static irqreturn_t renesas_i3c_resp_isr(int irq, void *data)
int ret = 0;
scoped_guard(spinlock, &i3c->xferqueue.lock) {
+ /* Clear the Respone Queue Full status flag */
+ renesas_clear_bit(i3c->regs, NTST, NTST_RSPQFF);
+
xfer = i3c->xferqueue.cur;
- cmd = xfer->cmds;
+ if (!xfer) {
+ /* Clear any error flags. */
+ renesas_clear_bit(i3c->regs, BCTL, BCTL_ABT);
+ renesas_clear_bit(i3c->regs, NTST, NTST_TEF | NTST_TABTF);
+ return IRQ_HANDLED;
+ }
- /* Clear the Respone Queue Full status flag*/
- renesas_clear_bit(i3c->regs, NTST, NTST_RSPQFF);
+ cmd = xfer->cmds;
data_len = NRSPQP_DATA_LEN(resp_descriptor);
@@ -1138,6 +1151,12 @@ static irqreturn_t renesas_i3c_tend_isr(int irq, void *data)
scoped_guard(spinlock, &i3c->xferqueue.lock) {
xfer = i3c->xferqueue.cur;
+ if (!xfer) {
+ /* Clear any status flag. */
+ renesas_clear_bit(i3c->regs, BST, BST_NACKDF | BST_TENDF);
+ return IRQ_HANDLED;
+ }
+
cmd = xfer->cmds;
if (xfer->is_i2c_xfer) {
@@ -1184,6 +1203,14 @@ static irqreturn_t renesas_i3c_rx_isr(int irq, void *data)
scoped_guard(spinlock, &i3c->xferqueue.lock) {
xfer = i3c->xferqueue.cur;
+ if (!xfer) {
+ /* Clear any status registers. */
+ renesas_clear_bit(i3c->regs, BST, BST_SPCNDDF);
+ /* Clear the Read Buffer Full status flag. */
+ renesas_clear_bit(i3c->regs, NTST, NTST_RDBFF0);
+ return IRQ_HANDLED;
+ }
+
cmd = xfer->cmds;
if (xfer->is_i2c_xfer) {
@@ -1235,6 +1262,11 @@ static irqreturn_t renesas_i3c_stop_isr(int irq, void *data)
scoped_guard(spinlock, &i3c->xferqueue.lock) {
xfer = i3c->xferqueue.cur;
+ if (!xfer) {
+ /* Clear the RX/TX Data Buffer Full status flag. */
+ renesas_clear_bit(i3c->regs, NTST, NTST_TDBEF0 | NTST_RDBFF0);
+ return IRQ_HANDLED;
+ }
/* read back registers to confirm writes have fully propagated */
renesas_writel(i3c->regs, BST, 0);
@@ -1259,6 +1291,12 @@ static irqreturn_t renesas_i3c_start_isr(int irq, void *data)
scoped_guard(spinlock, &i3c->xferqueue.lock) {
xfer = i3c->xferqueue.cur;
+ if (!xfer) {
+ /* Clear any status registers. */
+ renesas_clear_bit(i3c->regs, BST, BST_STCNDDF);
+ return IRQ_HANDLED;
+ }
+
cmd = xfer->cmds;
if (xfer->is_i2c_xfer) {
--
2.43.0