Re: [PATCH v2 5/5] mmc: mxcmmc: fix race conditions for host->req and host->data access

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Sascha Hauer <s.hauer@pengutronix.de>
To: Anatolij Gustschin <agust@denx.de>
Cc: linux-mmc@vger.kernel.org, Chris Ball <cjb@laptop.org>,
	Markus Pargmann <mpa@pengutronix.de>,
	devicetree-discuss@lists.ozlabs.org
Subject: Re: [PATCH v2 5/5] mmc: mxcmmc: fix race conditions for host->req and host->data access
Date: Tue, 2 Apr 2013 08:58:52 +0200	[thread overview]
Message-ID: <20130402065852.GD1906@pengutronix.de> (raw)
In-Reply-To: <1364768585-5177-6-git-send-email-agust@denx.de>

On Mon, Apr 01, 2013 at 12:23:05AM +0200, Anatolij Gustschin wrote:
> mxcmci_dma_callback() is invoked by DMA drivers in soft-irq
> context and can be interrupted by the mxcmci_irq() interrupt
> which can finish the mmc request or data transfer and set
> host->req or host->data pointers to NULL. Then mxcmci_data_done()
> crashes with a null pointer dereferences. Protect all accesses
> to host->req and host->data by spin locks.
> 
> Also check host->data pointer in mxcmci_watchdog() before
> dereferencing it.
> 
> Signed-off-by: Anatolij Gustschin <agust@denx.de>

This looks like a bugfix which should be first in this series.

Sascha

> ---
> v2:
>  - only rebased
> 
>  drivers/mmc/host/mxcmmc.c |   31 ++++++++++++++++++++++++-------
>  1 files changed, 24 insertions(+), 7 deletions(-)
> 
> diff --git a/drivers/mmc/host/mxcmmc.c b/drivers/mmc/host/mxcmmc.c
> index 2861e0d..23deb2a 100644
> --- a/drivers/mmc/host/mxcmmc.c
> +++ b/drivers/mmc/host/mxcmmc.c
> @@ -694,24 +694,40 @@ static void mxcmci_datawork(struct work_struct *work)
>  
>  static void mxcmci_data_done(struct mxcmci_host *host, unsigned int stat)
>  {
> -	struct mmc_data *data = host->data;
> +	struct mmc_request *req;
>  	int data_error;
> +	unsigned long flags;
> +
> +	spin_lock_irqsave(&host->lock, flags);
>  
> -	if (!data)
> +	if (!host->data) {
> +		spin_unlock_irqrestore(&host->lock, flags);
>  		return;
> +	}
> +
> +	if (!host->req) {
> +		spin_unlock_irqrestore(&host->lock, flags);
> +		return;
> +	}
> +
> +	req = host->req;
> +	if (!req->stop)
> +		host->req = NULL; /* we will handle finish req below */
>  
>  	data_error = mxcmci_finish_data(host, stat);
>  
> +	spin_unlock_irqrestore(&host->lock, flags);
> +
>  	mxcmci_read_response(host, stat);
>  	host->cmd = NULL;
>  
> -	if (host->req->stop) {
> -		if (mxcmci_start_cmd(host, host->req->stop, 0)) {
> -			mxcmci_finish_request(host, host->req);
> +	if (req->stop) {
> +		if (mxcmci_start_cmd(host, req->stop, 0)) {
> +			mxcmci_finish_request(host, req);
>  			return;
>  		}
>  	} else {
> -		mxcmci_finish_request(host, host->req);
> +		mxcmci_finish_request(host, req);
>  	}
>  }
>  
> @@ -1005,7 +1021,8 @@ static void mxcmci_watchdog(unsigned long data)
>  
>  	/* Mark transfer as erroneus and inform the upper layers */
>  
> -	host->data->error = -ETIMEDOUT;
> +	if (host->data)
> +		host->data->error = -ETIMEDOUT;
>  	host->req = NULL;
>  	host->cmd = NULL;
>  	host->data = NULL;
> -- 
> 1.7.5.4
> 
> 

-- 
Pengutronix e.K.                           |                             |
Industrial Linux Solutions                 | http://www.pengutronix.de/  |
Peiner Str. 6-8, 31137 Hildesheim, Germany | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

next prev parent reply	other threads:[~2013-04-02  6:58 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-03-31 22:23 [PATCH v2 0/5] mmc: mxcmmc: add mpc512x support Anatolij Gustschin
2013-03-31 22:23 ` [PATCH v2 1/5] mmc: mxcmmc: add mpc512x SDHC support Anatolij Gustschin
2013-03-31 22:23 ` [PATCH v2 2/5] mmc: mxcmmc: use slot-gpio API for write-protect detection Anatolij Gustschin
2013-03-31 22:23 ` [PATCH v2 3/5] mmc: mxcmmc: constify mxcmci_devtype Anatolij Gustschin
2013-03-31 22:23 ` [PATCH v2 4/5] mmc: mxcmmc: enable DMA support on mpc512x Anatolij Gustschin
2013-04-02  6:56   ` Sascha Hauer
2013-04-02  7:29     ` Anatolij Gustschin
2013-04-02  7:48       ` Sascha Hauer
2013-03-31 22:23 ` [PATCH v2 5/5] mmc: mxcmmc: fix race conditions for host->req and host->data access Anatolij Gustschin
2013-04-02  6:58   ` Sascha Hauer [this message]
2013-04-02  7:01 ` [PATCH v2 0/5] mmc: mxcmmc: add mpc512x support Sascha Hauer

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20130402065852.GD1906@pengutronix.de \
    --to=s.hauer@pengutronix.de \
    --cc=agust@denx.de \
    --cc=cjb@laptop.org \
    --cc=devicetree-discuss@lists.ozlabs.org \
    --cc=linux-mmc@vger.kernel.org \
    --cc=mpa@pengutronix.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.