From 5887b5e6da9bb271bdcf72532f31ef519c65e4cc Mon Sep 17 00:00:00 2001
From: Sugar Zhang <sugar.zhang@rock-chips.com>
Date: Wed, 30 Apr 2025 09:37:38 +0800
Subject: [PATCH] dmaengine: rockchip-dma: Fix potential concurrent on
 rk_dma_lch

The LCH should always be accessed under lock protection to avoid
race conditions that could lead to null-pointer dereference.

Signed-off-by: Sugar Zhang <sugar.zhang@rock-chips.com>
Change-Id: I26ef5467c4d79236e1d52806fec7d60c0c34136f
---
 drivers/dma/rockchip-dma.c | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/drivers/dma/rockchip-dma.c b/drivers/dma/rockchip-dma.c
index 59fd30e7bac2..3fbccc21660e 100644
--- a/drivers/dma/rockchip-dma.c
+++ b/drivers/dma/rockchip-dma.c
@@ -1092,7 +1092,7 @@ static int rk_dma_terminate_all(struct dma_chan *chan)
 {
 	struct rk_dma_chan *c = to_rk_chan(chan);
 	struct rk_dma_dev *d = to_rk_dma(chan->device);
-	struct rk_dma_lch *l = c->lch;
+	struct rk_dma_lch *l;
 	unsigned long flags;
 	LIST_HEAD(head);
 
@@ -1103,6 +1103,7 @@ static int rk_dma_terminate_all(struct dma_chan *chan)
 	spin_unlock_irqrestore(&d->lock, flags);
 
 	spin_lock_irqsave(&c->vc.lock, flags);
+	l = c->lch;
 	if (l) {
 		rk_dma_terminate_chan(l, d);
 		if (l->ds_run)
@@ -1130,9 +1131,14 @@ static int rk_dma_transfer_pause(struct dma_chan *chan)
 static int rk_dma_transfer_resume(struct dma_chan *chan)
 {
 	struct rk_dma_chan *c = to_rk_chan(chan);
-	struct rk_dma_lch *l = c->lch;
+	struct rk_dma_lch *l;
+	unsigned long flags;
 
-	writel(LCH_TRF_CMD_DMA_RESUME, RK_DMA_LCH_TRF_CMD);
+	spin_lock_irqsave(&c->vc.lock, flags);
+	l = c->lch;
+	if (l)
+		writel(LCH_TRF_CMD_DMA_RESUME, RK_DMA_LCH_TRF_CMD);
+	spin_unlock_irqrestore(&c->vc.lock, flags);
 
 	return 0;
 }