mmc: mediatek: fix race condition between msdc_request_timeout and irq

when get request SW timeout, if CMD/DAT xfer done irq coming right now,
then there is race between the msdc_request_timeout work and irq handler,
and the host->cmd and host->data may set to NULL in irq handler. also,
current flow ensure that only one path can go to msdc_request_done(), so
no need check the return value of cancel_delayed_work().

Signed-off-by: Chaotian Jing <chaotian.jing@mediatek.com>
Link: https://lore.kernel.org/r/20201218071611.12276-1-chaotian.jing@mediatek.com
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>

diff --git a/drivers/mmc/host/mtk-sd.c b/drivers/mmc/host/mtk-sd.c
index de09c63..898ed1b 100644 (file)
--- a/drivers/mmc/host/mtk-sd.c
+++ b/drivers/mmc/host/mtk-sd.c
@@ -1127,13 +1127,13 @@ static void msdc_track_cmd_data(struct msdc_host *host,
 static void msdc_request_done(struct msdc_host *host, struct mmc_request *mrq)
 {
        unsigned long flags;
-       bool ret;
 
-       ret = cancel_delayed_work(&host->req_timeout);
-       if (!ret) {
-               /* delay work already running */
-               return;
-       }
+       /*
+        * No need check the return value of cancel_delayed_work, as only ONE
+        * path will go here!
+        */
+       cancel_delayed_work(&host->req_timeout);
+
        spin_lock_irqsave(&host->lock, flags);
        host->mrq = NULL;
        spin_unlock_irqrestore(&host->lock, flags);
@@ -1155,7 +1155,7 @@ static bool msdc_cmd_done(struct msdc_host *host, int events,
        bool done = false;
        bool sbc_error;
        unsigned long flags;
-       u32 *rsp = cmd->resp;
+       u32 *rsp;
 
        if (mrq->sbc && cmd == mrq->cmd &&
            (events & (MSDC_INT_ACMDRDY | MSDC_INT_ACMDCRCERR
@@ -1176,6 +1176,7 @@ static bool msdc_cmd_done(struct msdc_host *host, int events,
 
        if (done)
                return true;
+       rsp = cmd->resp;
 
        sdr_clr_bits(host->base + MSDC_INTEN, cmd_ints_mask);
 
@@ -1363,7 +1364,7 @@ static void msdc_data_xfer_next(struct msdc_host *host,
 static bool msdc_data_xfer_done(struct msdc_host *host, u32 events,
                                struct mmc_request *mrq, struct mmc_data *data)
 {
-       struct mmc_command *stop = data->stop;
+       struct mmc_command *stop;
        unsigned long flags;
        bool done;
        unsigned int check_data = events &
@@ -1379,6 +1380,7 @@ static bool msdc_data_xfer_done(struct msdc_host *host, u32 events,
 
        if (done)
                return true;
+       stop = data->stop;
 
        if (check_data || (stop && stop->error)) {
                dev_dbg(host->dev, "DMA status: 0x%8X\n",