On Wed, 10 Sep 2025 18:11:09 +0530, Sumit Kumar wrote:
The mhi_ep_read_channel function incorrectly assumes the End of Transfer (EOT) bit is received with the doorbell in chained transactions, causing it to advance mhi_chan->rd_offset beyond wr_offset during host-to-device transfers when EOT has not yet arrived, leading to access of unmapped host memory that causes IOMMU faults and processing of stale TREs.
Modify the loop condition to ensure mhi_queue is not empty, allowing the function to process only valid TREs up to the current write pointer to prevent premature reads and ensure safe traversal of chained TREs. Remove buf_left from the while loop condition to avoid exiting prematurely before reading the ring completely, and remove write_offset since it will always be zero because the new cache buffer is allocated every time.
[...]
Applied, thanks!
[1/1] bus: mhi: ep: Fix chained transfer handling in read path commit: f5225a34bd8f9f64eec37f6ae1461289aaa3eb86
Best regards,