On Fri, 7 Sep 2012 12:43:37 +0200
Javier Martin <javier.mar...@vista-silicon.com> wrote:
...
> +static void mxcmci_dma_callback(void *data)
> +{
> + struct mxcmci_host *host = data;
> + u32 stat;
> +
> + del_timer(&host->watchdog);
> +
> + stat = readl(host->base + MMC_REG_STATUS);
> + writel(stat & ~STATUS_DATA_TRANS_DONE, host->base + MMC_REG_STATUS);
> +
> + dev_dbg(mmc_dev(host->mmc), "%s: 0x%08x\n", __func__, stat);
> +
> + if (stat & STATUS_READ_OP_DONE)
> + writel(STATUS_READ_OP_DONE, host->base + MMC_REG_STATUS);
> +
> + mxcmci_data_done(host, stat);
this change introduces a race condition for host->req (and maybe
for host->data) accesses. The callback is running in soft-irq context and can
be interrupted by the mxcmci_irq() interrupt which can finish the request and
set host->req to NULL. Then mxcmci_data_done() crashes with a null pointer
dereference. How extensively was it tested?
Anatolij
--
To unsubscribe from this list: send the line "unsubscribe linux-mmc" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
