KERNEL_VERSION: 2.6.31
DESCRIBE:
Driver ./drivers/mmc/host/wbsd.c calls spin_lock_bh and then spin_unlock
instead of spin_unlock_bh:
753 static void wbsd_request(struct mmc_host *mmc, struct mmc_request *mrq)
...
761 spin_lock_bh(&host->lock);
...
844 done:
845 wbsd_request_end(host, mrq);
846
847 spin_unlock_bh(&host->lock);
848 }
But in wsdb_request calls spin_unlock/spin_lock instead of
spin_unlock_bh/spin_lock_bh;
206 static void wbsd_request_end(struct wbsd_host *host, struct mmc_request
...
230 spin_unlock(&host->lock);
231 mmc_request_done(host->mmc, mrq);
232 spin_lock(&host->lock);
233 }
Found by : Linux Driver Verification
On Thu, 2009-10-08 at 15:18 +0000, Alexander Strakh wrote:
> KERNEL_VERSION: 2.6.31
> DESCRIBE:
> Driver ./drivers/mmc/host/wbsd.c calls spin_lock_bh and then spin_unlock
> instead of spin_unlock_bh:
>
> 753 static void wbsd_request(struct mmc_host *mmc, struct mmc_request *mrq)
> ....
> 761 spin_lock_bh(&host->lock);
> ....
> 844 done:
> 845 wbsd_request_end(host, mrq);
> 846
> 847 spin_unlock_bh(&host->lock);
> 848 }
>
> But in wsdb_request calls spin_unlock/spin_lock instead of
> spin_unlock_bh/spin_lock_bh;
>
> 206 static void wbsd_request_end(struct wbsd_host *host, struct mmc_request
> ....
> 230 spin_unlock(&host->lock);
> 231 mmc_request_done(host->mmc, mrq);
> 232 spin_lock(&host->lock);
> 233 }
Doesn't look too odd, it simply leaves BH disabled, but unlocks the
spinlock.
On Thu, 8 Oct 2009, Alexander Strakh wrote:
> KERNEL_VERSION: 2.6.31
> DESCRIBE:
> Driver ./drivers/mmc/host/wbsd.c calls spin_lock_bh and then spin_unlock
> instead of spin_unlock_bh:
>
> 753 static void wbsd_request(struct mmc_host *mmc, struct mmc_request *mrq)
> ...
> 761 spin_lock_bh(&host->lock);
> ...
> 844 done:
> 845 wbsd_request_end(host, mrq);
> 846
> 847 spin_unlock_bh(&host->lock);
> 848 }
>
> But in wsdb_request calls spin_unlock/spin_lock instead of
> spin_unlock_bh/spin_lock_bh;
>
> 206 static void wbsd_request_end(struct wbsd_host *host, struct mmc_request
> ...
> 230 spin_unlock(&host->lock);
> 231 mmc_request_done(host->mmc, mrq);
> 232 spin_lock(&host->lock);
> 233 }
And where exactly you see a bug?
wbsd_request_end() can be called in the following ways:
- through wbsd_finish_data() from tasklet (therefore no need to disable
tasklets there)
- from wbsd_request() directly. The sequence here is
spin_lock_bh(&host->lock);
...
wbsd_request_end(host, mrq);
spin_unlock(&host->lock);
....
spin_lock(&host->lock);
spin_unlock_bh(&host->lock);
So the whole thing runs with tasklets disabled, no matter what you do
with the host->lock, and they are only enabled at the very end of
wbsd_request()
So, what exact problem scenario do you see here?
--
Jiri Kosina
SUSE Labs, Novell Inc.