Hi Chuansheng,
On Tue, Nov 05 2013, Chuansheng Liu wrote:
> In function sdhci_request(), it is possible to do the tuning execution
> like below:
>
> sdhci_request() {
> spin_lock_irqsave(&host->lock, flags);
> host->mrq = mrq;
> ...
> spin_unlock_irqrestore(&host->lock, flags);
>
> <=== Here it is possible one pending finish_tasklet get running
> and it will operate the original mrq, and notified the mrq
> is done, and causes memory corruption.
>
> sdhci_execute_tuning(mmc, tuning_opcode);
> spin_lock_irqsave(&host->lock, flags);
> host->mrq = mrq;
> ...
> }
>
> In the above race place, the original mrq should not be finished wrongly,
> so here before unlock the spinlock, we need to set the host->mrq to NULL
> to avoid this case.
>
> Signed-off-by: Liu, Chuansheng <chuansheng.liu@xxxxxxxxx>
> ---
> drivers/mmc/host/sdhci.c | 7 +++++++
> 1 file changed, 7 insertions(+)
>
> diff --git a/drivers/mmc/host/sdhci.c b/drivers/mmc/host/sdhci.c
> index 7a7fb4f..c7a001a 100644
> --- a/drivers/mmc/host/sdhci.c
> +++ b/drivers/mmc/host/sdhci.c
> @@ -1391,6 +1391,13 @@ static void sdhci_request(struct mmc_host *mmc, struct mmc_request *mrq)
> mmc->card->type == MMC_TYPE_MMC ?
> MMC_SEND_TUNING_BLOCK_HS200 :
> MMC_SEND_TUNING_BLOCK;
> +
> + /* Here we need to set the host->mrq to NULL,
> + * in case the penging finish_tasklet
> + * operates it wrongly.
> + */
> + host->mrq = NULL;
> +
> spin_unlock_irqrestore(&host->lock, flags);
> sdhci_execute_tuning(mmc, tuning_opcode);
> spin_lock_irqsave(&host->lock, flags);
Thanks, pushed to mmc-next for 3.14.
- Chris.
--
Chris Ball <cjb@xxxxxxxxxx> <http://printf.net/>
--
To unsubscribe from this list: send the line "unsubscribe linux-mmc" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
