[PATCH v3] regmap: Fix race condition in hwspinlock irqsave routine
From: Yu-Chun Lin
Date: Thu Jan 08 2026 - 22:26:54 EST
From: Cheng-Yu Lee <cylee12@xxxxxxxxxxx>
Previously, the address of the shared member '&map->spinlock_flags' was
passed directly to 'hwspin_lock_timeout_irqsave'. This creates a race
condition where multiple contexts contending for the lock could overwrite
the shared flags variable, potentially corrupting the state for the
current lock owner.
Fix this by using a local stack variable 'flags' to store the IRQ state
temporarily.
Fixes: 8698b9364710 ("regmap: Add hardware spinlock support")
Signed-off-by: Cheng-Yu Lee <cylee12@xxxxxxxxxxx>
Co-developed-by: Yu-Chun Lin <eleanor.lin@xxxxxxxxxxx>
Signed-off-by: Yu-Chun Lin <eleanor.lin@xxxxxxxxxxx>
---
v3:
- Actually apply the code change mentioned in v2.
v2:
- Initialize 'flags' to 0. This fixes a -Werror build failure when
CONFIG_HWSPINLOCK is disabled, as the stub function in that case does
not initialize the pointer.
Link: https://lore.kernel.org/lkml/20260107032610.13166-1-eleanor.lin@xxxxxxxxxxx/
v1:
Link: https://lore.kernel.org/lkml/20260106021501.30682-1-eleanor.lin@xxxxxxxxxxx/
drivers/base/regmap/regmap.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/base/regmap/regmap.c b/drivers/base/regmap/regmap.c
index ce9be3989a21..ae2215d4e61c 100644
--- a/drivers/base/regmap/regmap.c
+++ b/drivers/base/regmap/regmap.c
@@ -408,9 +408,11 @@ static void regmap_lock_hwlock_irq(void *__map)
static void regmap_lock_hwlock_irqsave(void *__map)
{
struct regmap *map = __map;
+ unsigned long flags = 0;
hwspin_lock_timeout_irqsave(map->hwlock, UINT_MAX,
- &map->spinlock_flags);
+ &flags);
+ map->spinlock_flags = flags;
}
static void regmap_unlock_hwlock(void *__map)
--
2.34.1