mmc/core:fix mmc_sd_hw_reset oops mmc_sd_hw_reset function may be oops if the ejection of sd and the reset of sd simultaneously occur

Commit Message

yanxiaoyong5 May 1, 2020, 3:59 p.m. UTC

Signed-off-by: yanxiaoyong5 <yanxiaoyong5@gmail.com>
---
 drivers/mmc/core/sd.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

Comments

Ulf Hansson May 6, 2020, 4:30 p.m. UTC | #1

On Fri, 1 May 2020 at 19:18, yanxiaoyong5@gmail.com
<yanxiaoyong5@gmail.com> wrote:
>
>  it is a race condition,the situation as follows:
>         a                                                                           b
>  mmc_rescan
>      mmc_sd_detect
>           mmc_get_card
>               __mmc_reclaim_host
>           card is not present                                       __mmc_reclaim_host
>           mmc_put_card                                                 wait a __mmc_release_host
>               __mmc_release_host
>                     set b TASK_RUNNING
>           mmc_sd_remove

mmc_sd_remove() calls mmc_remove_card(), which calls device_del() on
the corresponding card->dev.

That leads to ->remove() callback gets invoked for card->dev (see
mmc_blk_remove()), which ideally should clean up everything mmc block
device related. In other words, beyond this point there should be no
thread/user that can call mmc_hw_reset() (which invokes
mmc_sd_hw_reset().

>                host->card =NULL
>                                                                                (b starts to run)
>                                                                                mmc_sd_hw_reset
>                                                                                    finds host->cards is NULL,then oops

So, from the above reasoning I need to ask, have you really seen the
NULL pointer exception happening? (then we need to look more closely
at mmc_blk_remove()) Or do you think there is a problem from a
code-inspection point of view?

Kind regards
Uffe

Patch

diff --git a/drivers/mmc/core/sd.c b/drivers/mmc/core/sd.c
index fe914ff..73a1e68 100644
--- a/drivers/mmc/core/sd.c
+++ b/drivers/mmc/core/sd.c
@@ -1247,8 +1247,13 @@  static int mmc_sd_runtime_resume(struct mmc_host *host)
 
 static int mmc_sd_hw_reset(struct mmc_host *host)
 {
-	mmc_power_cycle(host, host->card->ocr);
-	return mmc_sd_init_card(host, host->card->ocr, host->card);
+	struct mmc_card *card;
+
+	card = host->card;
+	if (!card)
+		return -EINVAL;
+	mmc_power_cycle(host, card->ocr);
+	return mmc_sd_init_card(host, card->ocr, host->card);
 }
 
 static const struct mmc_bus_ops mmc_sd_ops = {