Skip to content

Commit b80d5d1

Browse files
P33Mpelwell
P33M
authored and
pelwell
committed
mmc: don't reference requests after finishing them
Posted write tracking introduced in the commit below raced with re-use of the requests between completion and submission, potentially causing underflow of the pending write count. Fixes: e6c1e86 ("mmc: restrict posted write counts for SD cards in CQ mode") Signed-off-by: Jonathan Bell <[email protected]>
1 parent 8ee418c commit b80d5d1

File tree

1 file changed

+7
-4
lines changed

1 file changed

+7
-4
lines changed

drivers/mmc/core/block.c

Lines changed: 7 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1524,6 +1524,7 @@ static void mmc_blk_cqe_complete_rq(struct mmc_queue *mq, struct request *req)
15241524
struct request_queue *q = req->q;
15251525
struct mmc_host *host = mq->card->host;
15261526
enum mmc_issue_type issue_type = mmc_issue_type(mq, req);
1527+
bool write = req_op(req) == REQ_OP_WRITE;
15271528
unsigned long flags;
15281529
bool put_card;
15291530
int err;
@@ -1555,7 +1556,7 @@ static void mmc_blk_cqe_complete_rq(struct mmc_queue *mq, struct request *req)
15551556

15561557
spin_lock_irqsave(&mq->lock, flags);
15571558

1558-
if (req_op(req) == REQ_OP_WRITE)
1559+
if (write)
15591560
mq->pending_writes--;
15601561
mq->in_flight[issue_type] -= 1;
15611562

@@ -2170,15 +2171,16 @@ static void mmc_blk_mq_poll_completion(struct mmc_queue *mq,
21702171
}
21712172

21722173
static void mmc_blk_mq_dec_in_flight(struct mmc_queue *mq, enum mmc_issue_type issue_type,
2173-
struct request *req)
2174+
bool write)
21742175
{
21752176
unsigned long flags;
21762177
bool put_card;
21772178

21782179
spin_lock_irqsave(&mq->lock, flags);
21792180

2180-
if (req_op(req) == REQ_OP_WRITE)
2181+
if (write)
21812182
mq->pending_writes--;
2183+
21822184
mq->in_flight[issue_type] -= 1;
21832185

21842186
put_card = (mmc_tot_in_flight(mq) == 0);
@@ -2193,6 +2195,7 @@ static void mmc_blk_mq_post_req(struct mmc_queue *mq, struct request *req,
21932195
bool can_sleep)
21942196
{
21952197
enum mmc_issue_type issue_type = mmc_issue_type(mq, req);
2198+
bool write = req_op(req) == REQ_OP_WRITE;
21962199
struct mmc_queue_req *mqrq = req_to_mmc_queue_req(req);
21972200
struct mmc_request *mrq = &mqrq->brq.mrq;
21982201
struct mmc_host *host = mq->card->host;
@@ -2212,7 +2215,7 @@ static void mmc_blk_mq_post_req(struct mmc_queue *mq, struct request *req,
22122215
blk_mq_complete_request(req);
22132216
}
22142217

2215-
mmc_blk_mq_dec_in_flight(mq, issue_type, req);
2218+
mmc_blk_mq_dec_in_flight(mq, issue_type, write);
22162219
}
22172220

22182221
void mmc_blk_mq_recovery(struct mmc_queue *mq)

0 commit comments

Comments
 (0)