From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Jialing Fu <jlfu@marvell.com>,
Shawn Lin <shawn.lin@rock-chips.com>,
Ulf Hansson <ulf.hansson@linaro.org>
Subject: [PATCH 3.10 21/56] mmc: core: fix race condition in mmc_wait_data_done
Date: Tue, 29 Sep 2015 15:47:09 +0200 [thread overview]
Message-ID: <20150929134701.326153950@linuxfoundation.org> (raw)
In-Reply-To: <20150929134700.376714360@linuxfoundation.org>
3.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jialing Fu <jlfu@marvell.com>
commit 71f8a4b81d040b3d094424197ca2f1bf811b1245 upstream.
The following panic is captured in ker3.14, but the issue still exists
in latest kernel.
---------------------------------------------------------------------
[ 20.738217] c0 3136 (Compiler) Unable to handle kernel NULL pointer dereference
at virtual address 00000578
......
[ 20.738499] c0 3136 (Compiler) PC is at _raw_spin_lock_irqsave+0x24/0x60
[ 20.738527] c0 3136 (Compiler) LR is at _raw_spin_lock_irqsave+0x20/0x60
[ 20.740134] c0 3136 (Compiler) Call trace:
[ 20.740165] c0 3136 (Compiler) [<ffffffc0008ee900>] _raw_spin_lock_irqsave+0x24/0x60
[ 20.740200] c0 3136 (Compiler) [<ffffffc0000dd024>] __wake_up+0x1c/0x54
[ 20.740230] c0 3136 (Compiler) [<ffffffc000639414>] mmc_wait_data_done+0x28/0x34
[ 20.740262] c0 3136 (Compiler) [<ffffffc0006391a0>] mmc_request_done+0xa4/0x220
[ 20.740314] c0 3136 (Compiler) [<ffffffc000656894>] sdhci_tasklet_finish+0xac/0x264
[ 20.740352] c0 3136 (Compiler) [<ffffffc0000a2b58>] tasklet_action+0xa0/0x158
[ 20.740382] c0 3136 (Compiler) [<ffffffc0000a2078>] __do_softirq+0x10c/0x2e4
[ 20.740411] c0 3136 (Compiler) [<ffffffc0000a24bc>] irq_exit+0x8c/0xc0
[ 20.740439] c0 3136 (Compiler) [<ffffffc00008489c>] handle_IRQ+0x48/0xac
[ 20.740469] c0 3136 (Compiler) [<ffffffc000081428>] gic_handle_irq+0x38/0x7c
----------------------------------------------------------------------
Because in SMP, "mrq" has race condition between below two paths:
path1: CPU0: <tasklet context>
static void mmc_wait_data_done(struct mmc_request *mrq)
{
mrq->host->context_info.is_done_rcv = true;
//
// If CPU0 has just finished "is_done_rcv = true" in path1, and at
// this moment, IRQ or ICache line missing happens in CPU0.
// What happens in CPU1 (path2)?
//
// If the mmcqd thread in CPU1(path2) hasn't entered to sleep mode:
// path2 would have chance to break from wait_event_interruptible
// in mmc_wait_for_data_req_done and continue to run for next
// mmc_request (mmc_blk_rw_rq_prep).
//
// Within mmc_blk_rq_prep, mrq is cleared to 0.
// If below line still gets host from "mrq" as the result of
// compiler, the panic happens as we traced.
wake_up_interruptible(&mrq->host->context_info.wait);
}
path2: CPU1: <The mmcqd thread runs mmc_queue_thread>
static int mmc_wait_for_data_req_done(...
{
...
while (1) {
wait_event_interruptible(context_info->wait,
(context_info->is_done_rcv ||
context_info->is_new_req));
static void mmc_blk_rw_rq_prep(...
{
...
memset(brq, 0, sizeof(struct mmc_blk_request));
This issue happens very coincidentally; however adding mdelay(1) in
mmc_wait_data_done as below could duplicate it easily.
static void mmc_wait_data_done(struct mmc_request *mrq)
{
mrq->host->context_info.is_done_rcv = true;
+ mdelay(1);
wake_up_interruptible(&mrq->host->context_info.wait);
}
At runtime, IRQ or ICache line missing may just happen at the same place
of the mdelay(1).
This patch gets the mmc_context_info at the beginning of function, it can
avoid this race condition.
Signed-off-by: Jialing Fu <jlfu@marvell.com>
Tested-by: Shawn Lin <shawn.lin@rock-chips.com>
Fixes: 2220eedfd7ae ("mmc: fix async request mechanism ....")
Signed-off-by: Shawn Lin <shawn.lin@rock-chips.com>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mmc/core/core.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/drivers/mmc/core/core.c
+++ b/drivers/mmc/core/core.c
@@ -327,8 +327,10 @@ EXPORT_SYMBOL(mmc_start_bkops);
*/
static void mmc_wait_data_done(struct mmc_request *mrq)
{
- mrq->host->context_info.is_done_rcv = true;
- wake_up_interruptible(&mrq->host->context_info.wait);
+ struct mmc_context_info *context_info = &mrq->host->context_info;
+
+ context_info->is_done_rcv = true;
+ wake_up_interruptible(&context_info->wait);
}
static void mmc_wait_done(struct mmc_request *mrq)
next prev parent reply other threads:[~2015-09-29 13:48 UTC|newest]
Thread overview: 63+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-09-29 13:46 [PATCH 3.10 00/56] 3.10.90-stable review Greg Kroah-Hartman
2015-09-29 13:46 ` [PATCH 3.10 01/56] unshare: Unsharing a thread does not require unsharing a vm Greg Kroah-Hartman
2015-09-29 13:46 ` [PATCH 3.10 02/56] rtlwifi: rtl8192cu: Add new device ID Greg Kroah-Hartman
2015-09-29 13:46 ` [PATCH 3.10 03/56] tg3: Fix temperature reporting Greg Kroah-Hartman
2015-09-29 13:46 ` [PATCH 3.10 04/56] mac80211: enable assoc check for mesh interfaces Greg Kroah-Hartman
2015-09-29 13:46 ` [PATCH 3.10 05/56] arm64: kconfig: Move LIST_POISON to a safe value Greg Kroah-Hartman
2015-09-29 13:46 ` [PATCH 3.10 06/56] arm64: compat: fix vfp save/restore across signal handlers in big-endian Greg Kroah-Hartman
2015-09-29 13:46 ` [PATCH 3.10 07/56] arm64: head.S: initialise mdcr_el2 in el2_setup Greg Kroah-Hartman
2015-09-29 13:46 ` [PATCH 3.10 08/56] Input: synaptics - fix handling of disabling gesture mode Greg Kroah-Hartman
2015-09-29 13:57 ` Dmitry Torokhov
2015-09-29 14:18 ` Greg Kroah-Hartman
2015-09-29 13:46 ` [PATCH 3.10 09/56] ALSA: hda - Enable headphone jack detect on old Fujitsu laptops Greg Kroah-Hartman
2015-09-29 13:46 ` [PATCH 3.10 10/56] ALSA: hda - Use ALC880_FIXUP_FUJITSU for FSC Amilo M1437 Greg Kroah-Hartman
2015-09-29 13:46 ` [PATCH 3.10 11/56] powerpc/mm: Fix pte_pagesize_index() crash on 4K w/64K hash Greg Kroah-Hartman
2015-09-29 13:47 ` [PATCH 3.10 12/56] powerpc/rtas: Introduce rtas_get_sensor_fast() for IRQ handlers Greg Kroah-Hartman
2015-09-29 13:47 ` [PATCH 3.10 13/56] Add radeon suspend/resume quirk for HP Compaq dc5750 Greg Kroah-Hartman
2015-09-29 13:47 ` [PATCH 3.10 14/56] x86/mm: Initialize pmd_idx in page_table_range_init_count() Greg Kroah-Hartman
2015-09-29 13:47 ` [PATCH 3.10 16/56] NFSv4: dont set SETATTR for O_RDONLY|O_EXCL Greg Kroah-Hartman
2015-09-29 13:47 ` [PATCH 3.10 17/56] NFS: nfs_set_pgio_error sometimes misses errors Greg Kroah-Hartman
2015-09-29 13:47 ` [PATCH 3.10 18/56] parisc: Filter out spurious interrupts in PA-RISC irq handler Greg Kroah-Hartman
2015-09-29 13:47 ` [PATCH 3.10 19/56] vmscan: fix increasing nr_isolated incurred by putback unevictable pages Greg Kroah-Hartman
2015-09-29 13:47 ` [PATCH 3.10 20/56] fs: if a coredump already exists, unlink and recreate with O_EXCL Greg Kroah-Hartman
2015-09-29 13:47 ` Greg Kroah-Hartman [this message]
2015-09-29 13:47 ` [PATCH 3.10 22/56] md/raid10: always set reshape_safe when initializing reshape_position Greg Kroah-Hartman
2015-09-29 13:47 ` [PATCH 3.10 23/56] xen/gntdev: convert priv->lock to a mutex Greg Kroah-Hartman
2015-09-29 13:47 ` [PATCH 3.10 24/56] hfs: fix B-tree corruption after insertion at position 0 Greg Kroah-Hartman
2015-09-29 13:47 ` [PATCH 3.10 25/56] IB/uverbs: reject invalid or unknown opcodes Greg Kroah-Hartman
2015-09-29 13:47 ` [PATCH 3.10 26/56] IB/uverbs: Fix race between ib_uverbs_open and remove_one Greg Kroah-Hartman
2015-09-29 13:47 ` [PATCH 3.10 27/56] IB/mlx4: Forbid using sysfs to change RoCE pkeys Greg Kroah-Hartman
2015-09-29 13:47 ` [PATCH 3.10 28/56] IB/mlx4: Use correct SL on AH query under RoCE Greg Kroah-Hartman
2015-09-29 13:47 ` [PATCH 3.10 29/56] stmmac: fix check for phydev being open Greg Kroah-Hartman
2015-09-30 11:20 ` Sergei Shtylyov
2015-09-29 13:47 ` [PATCH 3.10 30/56] hfs,hfsplus: cache pages correctly between bnode_create and bnode_free Greg Kroah-Hartman
2015-09-29 13:47 ` [PATCH 3.10 31/56] sctp: fix ASCONF list handling Greg Kroah-Hartman
2015-09-29 13:47 ` [PATCH 3.10 32/56] vhost/scsi: potential memory corruption Greg Kroah-Hartman
2015-09-29 13:47 ` [PATCH 3.10 33/56] x86: bpf_jit: fix compilation of large bpf programs Greg Kroah-Hartman
2015-09-29 13:47 ` [PATCH 3.10 34/56] ipv6: Make MLD packets to only be processed locally Greg Kroah-Hartman
2015-09-29 13:47 ` [PATCH 3.10 35/56] net/tipc: initialize security state for new connection socket Greg Kroah-Hartman
2015-09-29 13:47 ` [PATCH 3.10 36/56] bridge: mdb: zero out the local br_ip variable before use Greg Kroah-Hartman
2015-09-29 13:47 ` [PATCH 3.10 37/56] net: pktgen: fix race between pktgen_thread_worker() and kthread_stop() Greg Kroah-Hartman
2015-09-29 13:47 ` [PATCH 3.10 38/56] net: call rcu_read_lock early in process_backlog Greg Kroah-Hartman
2015-09-29 13:47 ` [PATCH 3.10 39/56] net: Clone skb before setting peeked flag Greg Kroah-Hartman
2015-09-29 13:47 ` [PATCH 3.10 40/56] net: Fix skb csum races when peeking Greg Kroah-Hartman
2015-09-29 13:47 ` [PATCH 3.10 41/56] net: Fix skb_set_peeked use-after-free bug Greg Kroah-Hartman
2015-09-29 13:47 ` [PATCH 3.10 42/56] bridge: mdb: fix double add notification Greg Kroah-Hartman
2015-09-29 13:47 ` [PATCH 3.10 43/56] isdn/gigaset: reset tty->receive_room when attaching ser_gigaset Greg Kroah-Hartman
2015-09-29 13:47 ` [PATCH 3.10 44/56] ipv6: lock socket in ip6_datagram_connect() Greg Kroah-Hartman
2015-09-29 13:47 ` [PATCH 3.10 45/56] bonding: fix destruction of bond with devices different from arphrd_ether Greg Kroah-Hartman
2015-09-29 13:47 ` [PATCH 3.10 46/56] inet: frags: fix defragmented packets IP header for af_packet Greg Kroah-Hartman
2015-09-29 13:47 ` [PATCH 3.10 47/56] netlink: dont hold mutex in rcu callback when releasing mmapd ring Greg Kroah-Hartman
2015-09-29 13:47 ` [PATCH 3.10 48/56] rds: fix an integer overflow test in rds_info_getsockopt() Greg Kroah-Hartman
2015-09-29 13:47 ` [PATCH 3.10 49/56] ip6_gre: release cached dst on tunnel removal Greg Kroah-Hartman
2015-09-29 13:47 ` [PATCH 3.10 50/56] usbnet: Get EVENT_NO_RUNTIME_PM bit before it is cleared Greg Kroah-Hartman
2015-09-29 13:47 ` [PATCH 3.10 51/56] ipv6: fix exthdrs offload registration in out_rt path Greg Kroah-Hartman
2015-09-29 13:47 ` [PATCH 3.10 52/56] net/ipv6: Correct PIM6 mrt_lock handling Greg Kroah-Hartman
2015-09-29 13:47 ` [PATCH 3.10 53/56] sctp: fix race on protocol/netns initialization Greg Kroah-Hartman
2015-09-29 13:47 ` [PATCH 3.10 54/56] fib_rules: fix fib rule dumps across multiple skbs Greg Kroah-Hartman
2015-09-29 13:47 ` [PATCH 3.10 55/56] vfs: Remove incorrect debugging WARN in prepend_path Greg Kroah-Hartman
2015-09-29 13:47 ` [PATCH 3.10 56/56] Revert "iio: bmg160: IIO_BUFFER and IIO_TRIGGERED_BUFFER are required" Greg Kroah-Hartman
2015-09-29 16:53 ` [PATCH 3.10 00/56] 3.10.90-stable review Shuah Khan
2015-09-29 21:14 ` Guenter Roeck
2015-09-30 5:45 ` Sudip Mukherjee
[not found] ` <562a7d97.a9c6b40a.4a84c.46d4@mx.google.com>
2015-10-23 18:36 ` Kevin Hilman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150929134701.326153950@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=jlfu@marvell.com \
--cc=linux-kernel@vger.kernel.org \
--cc=shawn.lin@rock-chips.com \
--cc=stable@vger.kernel.org \
--cc=ulf.hansson@linaro.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).