Gitiles
Code Review Sign In
gerrit-public.fairphone.software / kernel / msm / 0facf174a540c98c6096829d63eddf93f5f5570c^! / .
commit0facf174a540c98c6096829d63eddf93f5f5570c[log] [tgz]
authorSujit Reddy Thumma <sthumma@codeaurora.org>Thu Jun 20 14:11:38 2013 +0530
committerSujit Reddy Thumma <sthumma@codeaurora.org>Fri Jun 21 19:13:24 2013 +0530
treed22c11c9194c866502b5f1341a80187b7f5e8086
parent01db8712c969f16951f2cf3fe1ac0fad94aea194 [diff]
mmc: msm_sdcc: Fix null pointer dereference in msmsdcc_pio_irq()

In a case where, the data transfer is scheduled in PIO mode, the write
data pend feature is enabled and the command corresponding to the data
transfer is timedout, it can happen that the failure recovery mechanism
clears the internal data transfer structure but not the PIO IRQ mask.
Since the msmsdcc_irq() and msmsdcc_pio_irq() are shared IRQ handlers,
the data structures free'd in command timeout interrupt routine might
be accessed in the msmsdcc_pio_irq() causing NULL pointer dereference.
Fix this by clearing PIO IRQ mask before stopping the data transfer.

CRs-Fixed: 498700
Change-Id: If597eed5da1707b8cbfb2c9c305719bf21d0eec5
Signed-off-by: Sujit Reddy Thumma <sthumma@codeaurora.org>

diff --git a/drivers/mmc/host/msm_sdcc.c b/drivers/mmc/host/msm_sdcc.c
index e285bfa..476e75c 100644
--- a/drivers/mmc/host/msm_sdcc.c
+++ b/drivers/mmc/host/msm_sdcc.c

@@ -1656,6 +1656,13 @@
 	sg_miter_stop(&host->pio.sg_miter);
 }
 
+static inline void msmsdcc_clear_pio_irq_mask(struct msmsdcc_host *host)
+{
+	writel_relaxed(readl_relaxed(host->base + MMCIMASK0) & ~MCI_IRQ_PIO,
+			host->base + MMCIMASK0);
+	mb();
+}
+
 static irqreturn_t
 msmsdcc_pio_irq(int irq, void *dev_id)
 {
@@ -1668,7 +1675,7 @@
 
 	spin_lock(&host->lock);
 
-	if (!atomic_read(&host->clks_on)) {
+	if (!atomic_read(&host->clks_on) || !host->curr.data) {
 		spin_unlock(&host->lock);
 		return IRQ_NONE;
 	}
@@ -1719,25 +1726,19 @@
 	msmsdcc_sg_stop(host);
 	local_irq_restore(flags);
 
+	if (!host->curr.xfer_remain) {
+		msmsdcc_clear_pio_irq_mask(host);
+		goto out_unlock;
+	}
+
 	if (status & MCI_RXACTIVE && host->curr.xfer_remain < MCI_FIFOSIZE) {
 		writel_relaxed((readl_relaxed(host->base + MMCIMASK0) &
-				(~(MCI_IRQ_PIO))) | MCI_RXDATAAVLBLMASK,
-				host->base + MMCIMASK0);
-		if (!host->curr.xfer_remain) {
-			/*
-			 * back to back write to MASK0 register don't need
-			 * synchronization delay.
-			 */
-			writel_relaxed((readl_relaxed(host->base + MMCIMASK0) &
-				(~(MCI_IRQ_PIO))) | 0, host->base + MMCIMASK0);
-		}
-		mb();
-	} else if (!host->curr.xfer_remain) {
-		writel_relaxed((readl_relaxed(host->base + MMCIMASK0) &
-				(~(MCI_IRQ_PIO))) | 0, host->base + MMCIMASK0);
+					~MCI_IRQ_PIO) | MCI_RXDATAAVLBLMASK,
+					host->base + MMCIMASK0);
 		mb();
 	}
 
+out_unlock:
 	spin_unlock(&host->lock);
 
 	return IRQ_HANDLED;
@@ -1831,6 +1832,7 @@
 			msmsdcc_sps_exit_curr_xfer(host);
 		}
 		else if (host->curr.data) { /* Non DMA */
+			msmsdcc_clear_pio_irq_mask(host);
 			msmsdcc_reset_and_restore(host);
 			msmsdcc_stop_data(host);
 			msmsdcc_request_end(host, cmd->mrq);
@@ -2002,6 +2004,7 @@
 					/* Stop current SPS transfer */
 					msmsdcc_sps_exit_curr_xfer(host);
 				} else {
+					msmsdcc_clear_pio_irq_mask(host);
 					msmsdcc_reset_and_restore(host);
 					if (host->curr.data)
 						msmsdcc_stop_data(host);
@@ -5380,6 +5383,7 @@
 				/* Stop current SPS transfer */
 				msmsdcc_sps_exit_curr_xfer(host);
 			} else {
+				msmsdcc_clear_pio_irq_mask(host);
 				msmsdcc_reset_and_restore(host);
 				msmsdcc_stop_data(host);
 				if (mrq->data && mrq->data->stop)