Hi Anatolij,
Anatolij Gustschin wrote:
> this change introduces a race condition for host->req (and maybe
> for host->data) accesses. The callback is running in soft-irq context and can
> be interrupted by the mxcmci_irq() interrupt which can finish the request and
> set host->req to NULL. Then mxcmci_data_done() crashes with a null pointer
> dereference. How extensively was it tested?
Does the patch below help?
--- a/drivers/mmc/host/mxcmmc.c
+++ b/drivers/mmc/host/mxcmmc.c
@@ -309,9 +309,11 @@ static void mxcmci_dma_callback(void *data)
{
struct mxcmci_host *host = data;
u32 stat;
+ unsigned int long flags;
del_timer(&host->watchdog);
+ spin_lock_irqsave(&host->lock, flags);
stat = readl(host->base + MMC_REG_STATUS);
writel(stat & ~STATUS_DATA_TRANS_DONE, host->base + MMC_REG_STATUS);
@@ -320,6 +322,7 @@ static void mxcmci_dma_callback(void *data)
if (stat & STATUS_READ_OP_DONE)
writel(STATUS_READ_OP_DONE, host->base + MMC_REG_STATUS);
+ spin_unlock_irqrestore(&host->lock, flags);
mxcmci_data_done(host, stat);
}
--
To unsubscribe from this list: send the line "unsubscribe linux-mmc" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
