From: Anatolij Gustschin <agust@denx.de>
To: Javier Martin <javier.martin@vista-silicon.com>
Cc: linux-mmc@vger.kernel.org, viresh.linux@gmail.com,
g.liakhovetski@gmx.de, vinod.koul@linux.intel.com,
s.hauer@pengutronix.de, cjb@laptop.org,
fabio.estevam@freescale.com, gcembed@gmail.com
Subject: Re: [PATCH v2] mmc: mxcmmc: fix bug that may block a data transfer forever.
Date: Tue, 19 Feb 2013 15:14:14 +0100 [thread overview]
Message-ID: <20130219151414.2aa318d7@crub> (raw)
In-Reply-To: <1347014617-16238-1-git-send-email-javier.martin@vista-silicon.com>
On Fri, 7 Sep 2012 12:43:37 +0200
Javier Martin <javier.martin@vista-silicon.com> wrote:
...
> +static void mxcmci_dma_callback(void *data)
> +{
> + struct mxcmci_host *host = data;
> + u32 stat;
> +
> + del_timer(&host->watchdog);
> +
> + stat = readl(host->base + MMC_REG_STATUS);
> + writel(stat & ~STATUS_DATA_TRANS_DONE, host->base + MMC_REG_STATUS);
> +
> + dev_dbg(mmc_dev(host->mmc), "%s: 0x%08x\n", __func__, stat);
> +
> + if (stat & STATUS_READ_OP_DONE)
> + writel(STATUS_READ_OP_DONE, host->base + MMC_REG_STATUS);
> +
> + mxcmci_data_done(host, stat);
this change introduces a race condition for host->req (and maybe
for host->data) accesses. The callback is running in soft-irq context and can
be interrupted by the mxcmci_irq() interrupt which can finish the request and
set host->req to NULL. Then mxcmci_data_done() crashes with a null pointer
dereference. How extensively was it tested?
Anatolij
next prev parent reply other threads:[~2013-02-19 14:14 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-09-07 10:43 [PATCH v2] mmc: mxcmmc: fix bug that may block a data transfer forever Javier Martin
2012-09-10 7:47 ` Sascha Hauer
2012-09-19 5:52 ` Chris Ball
2012-09-14 2:52 ` Vinod Koul
2012-09-14 12:50 ` javier Martin
2013-02-19 14:14 ` Anatolij Gustschin [this message]
2013-02-21 12:32 ` javier Martin
2013-02-21 12:57 ` Anatolij Gustschin
2013-02-21 15:49 ` Fabio Estevam
2013-03-14 19:58 ` Anatolij Gustschin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130219151414.2aa318d7@crub \
--to=agust@denx.de \
--cc=cjb@laptop.org \
--cc=fabio.estevam@freescale.com \
--cc=g.liakhovetski@gmx.de \
--cc=gcembed@gmail.com \
--cc=javier.martin@vista-silicon.com \
--cc=linux-mmc@vger.kernel.org \
--cc=s.hauer@pengutronix.de \
--cc=vinod.koul@linux.intel.com \
--cc=viresh.linux@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox