when get request SW timeout, if CMD/DAT xfer done irq coming right now,
then there is race between the msdc_request_timeout work and irq handler,
and the host->cmd and host->data may set to NULL in irq handler. also,
current flow ensure that only one path can go to msdc_request_done(), so
no need check the return value of cancel_delayed_work().
Signed-off-by: Chaotian Jing <[email protected]>
---
drivers/mmc/host/mtk-sd.c | 18 ++++++++++--------
1 file changed, 10 insertions(+), 8 deletions(-)
diff --git a/drivers/mmc/host/mtk-sd.c b/drivers/mmc/host/mtk-sd.c
index de09c6347524..898ed1b023df 100644
--- a/drivers/mmc/host/mtk-sd.c
+++ b/drivers/mmc/host/mtk-sd.c
@@ -1127,13 +1127,13 @@ static void msdc_track_cmd_data(struct msdc_host *host,
static void msdc_request_done(struct msdc_host *host, struct mmc_request *mrq)
{
unsigned long flags;
- bool ret;
- ret = cancel_delayed_work(&host->req_timeout);
- if (!ret) {
- /* delay work already running */
- return;
- }
+ /*
+ * No need check the return value of cancel_delayed_work, as only ONE
+ * path will go here!
+ */
+ cancel_delayed_work(&host->req_timeout);
+
spin_lock_irqsave(&host->lock, flags);
host->mrq = NULL;
spin_unlock_irqrestore(&host->lock, flags);
@@ -1155,7 +1155,7 @@ static bool msdc_cmd_done(struct msdc_host *host, int events,
bool done = false;
bool sbc_error;
unsigned long flags;
- u32 *rsp = cmd->resp;
+ u32 *rsp;
if (mrq->sbc && cmd == mrq->cmd &&
(events & (MSDC_INT_ACMDRDY | MSDC_INT_ACMDCRCERR
@@ -1176,6 +1176,7 @@ static bool msdc_cmd_done(struct msdc_host *host, int events,
if (done)
return true;
+ rsp = cmd->resp;
sdr_clr_bits(host->base + MSDC_INTEN, cmd_ints_mask);
@@ -1363,7 +1364,7 @@ static void msdc_data_xfer_next(struct msdc_host *host,
static bool msdc_data_xfer_done(struct msdc_host *host, u32 events,
struct mmc_request *mrq, struct mmc_data *data)
{
- struct mmc_command *stop = data->stop;
+ struct mmc_command *stop;
unsigned long flags;
bool done;
unsigned int check_data = events &
@@ -1379,6 +1380,7 @@ static bool msdc_data_xfer_done(struct msdc_host *host, u32 events,
if (done)
return true;
+ stop = data->stop;
if (check_data || (stop && stop->error)) {
dev_dbg(host->dev, "DMA status: 0x%8X\n",
--
2.18.0
On Fri, 18 Dec 2020 at 08:16, Chaotian Jing <[email protected]> wrote:
>
> when get request SW timeout, if CMD/DAT xfer done irq coming right now,
> then there is race between the msdc_request_timeout work and irq handler,
> and the host->cmd and host->data may set to NULL in irq handler. also,
> current flow ensure that only one path can go to msdc_request_done(), so
> no need check the return value of cancel_delayed_work().
>
> Signed-off-by: Chaotian Jing <[email protected]>
Applied for next, thanks!
Kind regards
Uffe
> ---
> drivers/mmc/host/mtk-sd.c | 18 ++++++++++--------
> 1 file changed, 10 insertions(+), 8 deletions(-)
>
> diff --git a/drivers/mmc/host/mtk-sd.c b/drivers/mmc/host/mtk-sd.c
> index de09c6347524..898ed1b023df 100644
> --- a/drivers/mmc/host/mtk-sd.c
> +++ b/drivers/mmc/host/mtk-sd.c
> @@ -1127,13 +1127,13 @@ static void msdc_track_cmd_data(struct msdc_host *host,
> static void msdc_request_done(struct msdc_host *host, struct mmc_request *mrq)
> {
> unsigned long flags;
> - bool ret;
>
> - ret = cancel_delayed_work(&host->req_timeout);
> - if (!ret) {
> - /* delay work already running */
> - return;
> - }
> + /*
> + * No need check the return value of cancel_delayed_work, as only ONE
> + * path will go here!
> + */
> + cancel_delayed_work(&host->req_timeout);
> +
> spin_lock_irqsave(&host->lock, flags);
> host->mrq = NULL;
> spin_unlock_irqrestore(&host->lock, flags);
> @@ -1155,7 +1155,7 @@ static bool msdc_cmd_done(struct msdc_host *host, int events,
> bool done = false;
> bool sbc_error;
> unsigned long flags;
> - u32 *rsp = cmd->resp;
> + u32 *rsp;
>
> if (mrq->sbc && cmd == mrq->cmd &&
> (events & (MSDC_INT_ACMDRDY | MSDC_INT_ACMDCRCERR
> @@ -1176,6 +1176,7 @@ static bool msdc_cmd_done(struct msdc_host *host, int events,
>
> if (done)
> return true;
> + rsp = cmd->resp;
>
> sdr_clr_bits(host->base + MSDC_INTEN, cmd_ints_mask);
>
> @@ -1363,7 +1364,7 @@ static void msdc_data_xfer_next(struct msdc_host *host,
> static bool msdc_data_xfer_done(struct msdc_host *host, u32 events,
> struct mmc_request *mrq, struct mmc_data *data)
> {
> - struct mmc_command *stop = data->stop;
> + struct mmc_command *stop;
> unsigned long flags;
> bool done;
> unsigned int check_data = events &
> @@ -1379,6 +1380,7 @@ static bool msdc_data_xfer_done(struct msdc_host *host, u32 events,
>
> if (done)
> return true;
> + stop = data->stop;
>
> if (check_data || (stop && stop->error)) {
> dev_dbg(host->dev, "DMA status: 0x%8X\n",
> --
> 2.18.0
>