[PATCHv2 1/9] dmaengine: mv_xor: initialize chan state before requesting IRQ

From: Rosen Penev

Date: Thu Jun 11 2026 - 17:07:48 EST

In mv_xor_channel_add(), the IRQ is requested and unmasked before the
channel's spinlock, descriptor lists, and cookie state are initialized.
If an interrupt fires immediately (e.g. from a shared IRQ or previous
bind/unbind cycle), the handler schedules the tasklet, which then
accesses the uninitialized spinlock and lists in mv_chan_slot_cleanup(),
resulting in undefined behavior.

Fix by moving spin_lock_init(), INIT_LIST_HEAD(), dma_cookie_init(),
and tasklet_setup() to immediately follow the basic struct field
initialization, before any DMA mappings or IRQ registration.

Assisted-by: opencode:big-pickle
Signed-off-by: Rosen Penev <rosenp@xxxxxxxxx>
---
drivers/dma/mv_xor.c | 24 ++++++++++++------------
1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/drivers/dma/mv_xor.c b/drivers/dma/mv_xor.c
index 25ed61f1b089..93a8e9f7c529 100644
--- a/drivers/dma/mv_xor.c
+++ b/drivers/dma/mv_xor.c
@@ -1054,6 +1054,18 @@ mv_xor_channel_add(struct mv_xor_device *xordev,
dma_dev->dev = &pdev->dev;
mv_chan->xordev = xordev;

+ spin_lock_init(&mv_chan->lock);
+ INIT_LIST_HEAD(&mv_chan->chain);
+ INIT_LIST_HEAD(&mv_chan->completed_slots);
+ INIT_LIST_HEAD(&mv_chan->free_slots);
+ INIT_LIST_HEAD(&mv_chan->allocated_slots);
+ mv_chan->dmachan.device = dma_dev;
+ dma_cookie_init(&mv_chan->dmachan);
+
+ mv_chan->mmr_base = xordev->xor_base;
+ mv_chan->mmr_high_base = xordev->xor_high_base;
+ tasklet_setup(&mv_chan->irq_tasklet, mv_xor_tasklet);
+
/*
* These source and destination dummy buffers are used to implement
* a DMA_INTERRUPT operation as a minimum-sized XOR operation.
@@ -1105,10 +1117,6 @@ mv_xor_channel_add(struct mv_xor_device *xordev,
dma_dev->device_prep_dma_xor = mv_xor_prep_dma_xor;
}

- mv_chan->mmr_base = xordev->xor_base;
- mv_chan->mmr_high_base = xordev->xor_high_base;
- tasklet_setup(&mv_chan->irq_tasklet, mv_xor_tasklet);
-
/* clear errors before enabling interrupts */
mv_chan_clear_err_status(mv_chan);

@@ -1124,14 +1132,6 @@ mv_xor_channel_add(struct mv_xor_device *xordev,
else
mv_chan_set_mode(mv_chan, XOR_OPERATION_MODE_XOR);

- spin_lock_init(&mv_chan->lock);
- INIT_LIST_HEAD(&mv_chan->chain);
- INIT_LIST_HEAD(&mv_chan->completed_slots);
- INIT_LIST_HEAD(&mv_chan->free_slots);
- INIT_LIST_HEAD(&mv_chan->allocated_slots);
- mv_chan->dmachan.device = dma_dev;
- dma_cookie_init(&mv_chan->dmachan);
-
list_add_tail(&mv_chan->dmachan.device_node, &dma_dev->channels);

if (dma_has_cap(DMA_MEMCPY, dma_dev->cap_mask)) {
--
2.54.0