drivers: mailbox: fix race resulting in multiple message submission
The mailbox sends a request to the controller and the tx_done callback
received for that request clears the active_req pointer. The callback
sends the next request in the queue, if there is one. When a controller
is busy and cannot accept any more requests until the interrupt is
cleared, it would return -EAGAIN. The mailbox controller must unlock its
spinlock and retry again.
An incorrect check for the -EAGAIN allows, the mailbox to send multiple
requests without receiving the tx_done callback for the first one sent.
As a result, the active_req pointer is overwritten and holds on only to
the last request sent. When the second tx_done is received it finds the
active_req to be NULL already and bails out before notifying the client.
The client may wait forever for this response.
Change-Id: Id58c7365be8c6bfc7f90fe9445c88c1246d2d7f8
Signed-off-by:  Lina Iyer <ilina@codeaurora.org>
Lina Iyer <ilina@codeaurora.org>
Loading
Please register or sign in to comment
