soundwire: bus: serialize BPT/BRA transfers per bus

ujfalusi · bardliao · commit e928d5ceaecb · 2026-06-12T17:26:05.000+08:00
On Intel ACE2+ platforms, each SoundWire link uses a single pair of
PDIs (PDI0 for TX, PDI1 for RX) and associated DMA resources for
Bulk Port Transfers. When two codecs on the same link initiate BRA
transfers concurrently (e.g. during firmware download), the second
sdw_bpt_send_async() call races with the first:

  - intel_ace2x_bpt_open_stream() has a TOCTOU on the bpt_stream
    pointer: both callers see it as NULL and proceed
  - The second open overwrites the first's stream allocation, leaking
    the original sdw_stream_runtime
  - PCMSyCM mappings for the first transfer get overwritten, causing
    chain DMA to operate with wrong PDI assignments
  - IOC timeouts, use-after-free, and double-free follow on close

Add a per-bus bpt_lock mutex held across the send_async/wait span to
serialize BPT transfers. The lock is acquired in sdw_bpt_send_async()
before calling the master ops and released in sdw_bpt_wait() after the
transfer completes. On send_async failure, the lock is released
immediately.

Cross-link transfers (different sdw_bus instances) remain concurrent
since each bus has its own lock.

Signed-off-by: Peter Ujfalusi &lt;peter.ujfalusi@linux.intel.com&gt;
diff --git a/drivers/soundwire/bus.c b/drivers/soundwire/bus.c
@@ -87,6 +87,8 @@ int sdw_bus_master_add(struct sdw_bus *bus, struct device *parent,
 	lockdep_register_key(&bus->bus_lock_key);
 	__mutex_init(&bus->bus_lock, "bus_lock", &bus->bus_lock_key);
 
+	mutex_init(&bus->bpt_lock);
+
 	INIT_LIST_HEAD(&bus->slaves);
 	INIT_LIST_HEAD(&bus->m_rt_list);
 
@@ -2094,6 +2096,7 @@ EXPORT_SYMBOL(sdw_clear_slave_status);
 int sdw_bpt_send_async(struct sdw_bus *bus, struct sdw_slave *slave, struct sdw_bpt_msg *msg)
 {
 	int len = 0;
+	int ret;
 	int i;
 
 	for (i = 0; i < msg->sections; i++)
@@ -2118,13 +2121,26 @@ int sdw_bpt_send_async(struct sdw_bus *bus, struct sdw_slave *slave, struct sdw_
 		return -EOPNOTSUPP;
 	}
 
-	return bus->ops->bpt_send_async(bus, slave, msg);
+	/* Serialize BPT/BRA transfers per bus: PDIs and DMA resources are shared */
+	mutex_lock(&bus->bpt_lock);
+
+	ret = bus->ops->bpt_send_async(bus, slave, msg);
+	if (ret < 0)
+		mutex_unlock(&bus->bpt_lock);
+
+	/* on success the lock is held until sdw_bpt_wait() */
+	return ret;
 }
 EXPORT_SYMBOL(sdw_bpt_send_async);
 
 int sdw_bpt_wait(struct sdw_bus *bus, struct sdw_slave *slave, struct sdw_bpt_msg *msg)
 {
-	return bus->ops->bpt_wait(bus, slave, msg);
+	int ret;
+
+	ret = bus->ops->bpt_wait(bus, slave, msg);
+	mutex_unlock(&bus->bpt_lock);
+
+	return ret;
 }
 EXPORT_SYMBOL(sdw_bpt_wait);
 
diff --git a/include/linux/soundwire/sdw.h b/include/linux/soundwire/sdw.h
@@ -1044,6 +1044,7 @@ struct sdw_bus {
 	int stream_refcount;
 	int bpt_stream_refcount;
 	struct sdw_stream_runtime *bpt_stream;
+	struct mutex bpt_lock; /* serialize BPT/BRA transfers per bus */
 	const struct sdw_master_ops *ops;
 	const struct sdw_master_port_ops *port_ops;
 	struct sdw_master_prop prop;
