From e385ea63f44b475e034a78b6d8bc6bb50caf72ca Mon Sep 17 00:00:00 2001 From: David Brownell Date: Tue, 2 Sep 2008 14:35:46 -0700 Subject: mmc: at91_mci: don't use coherent dma buffers At91_mci is abusing dma_free_coherent(), which may not be called with IRQs disabled. I saw "mkfs.ext3" on an MMC card objecting voluminously as each write completed: WARNING: at arch/arm/mm/consistent.c:368 dma_free_coherent+0x2c/0x224() [] (dump_stack+0x0/0x14) from [] (warn_on_slowpath+0x4c/0x68) [] (warn_on_slowpath+0x0/0x68) from [] (dma_free_coherent+0x2c/0x224) r6:00008008 r5:ffc06000 r4:00000000 [] (dma_free_coherent+0x0/0x224) from [] (at91_mci_irq+0x374/0x420) [] (at91_mci_irq+0x0/0x420) from [] (handle_IRQ_event+0x2c/0x6c) ... This bug has been around for a LONG time. The MM warning is from late 2005, but the driver merged a year later ... so I'm puzzled why nobody noticed this before now. The fix involves noting that this buffer shouldn't be DMA-coherent; it's just used for normal DMA writes. So replace it with standard kmalloc() buffering and DMA mapping calls. This is the quickie fix. A better one would not rely on allocating large bounce buffers. (Note that dma_alloc_coherent could have failed too, but that case was ignored... kmalloc is a bit more likely to fail though.) Signed-off-by: David Brownell Acked-by: Pierre Ossman Cc: Andrew Victor Acked-by: Nicolas Ferre Cc: Russell King Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds --- drivers/mmc/host/at91_mci.c | 20 ++++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) (limited to 'drivers/mmc') diff --git a/drivers/mmc/host/at91_mci.c b/drivers/mmc/host/at91_mci.c index 6915f40..1f8b5b3 100644 --- a/drivers/mmc/host/at91_mci.c +++ b/drivers/mmc/host/at91_mci.c @@ -621,12 +621,21 @@ static void at91_mci_send_command(struct at91mci_host *host, struct mmc_command if (cpu_is_at91sam9260 () || cpu_is_at91sam9263()) if (host->total_length < 12) host->total_length = 12; - host->buffer = dma_alloc_coherent(NULL, - host->total_length, - &host->physical_address, GFP_KERNEL); + + host->buffer = kmalloc(host->total_length, GFP_KERNEL); + if (!host->buffer) { + pr_debug("Can't alloc tx buffer\n"); + cmd->error = -ENOMEM; + mmc_request_done(host->mmc, host->request); + return; + } at91_mci_sg_to_dma(host, data); + host->physical_address = dma_map_single(NULL, + host->buffer, host->total_length, + DMA_TO_DEVICE); + pr_debug("Transmitting %d bytes\n", host->total_length); at91_mci_write(host, ATMEL_PDC_TPR, host->physical_address); @@ -694,7 +703,10 @@ static void at91_mci_completed_command(struct at91mci_host *host, unsigned int s cmd->resp[3] = at91_mci_read(host, AT91_MCI_RSPR(3)); if (host->buffer) { - dma_free_coherent(NULL, host->total_length, host->buffer, host->physical_address); + dma_unmap_single(NULL, + host->physical_address, host->total_length, + DMA_TO_DEVICE); + kfree(host->buffer); host->buffer = NULL; } -- cgit v1.1 From 70bb08962ea9bd50797ae9f16b2493f5f7c65053 Mon Sep 17 00:00:00 2001 From: Andrew Morton Date: Fri, 5 Sep 2008 14:00:24 -0700 Subject: drivers/mmc/card/block.c: fix refcount leak in mmc_block_open() mmc_block_open() increments md->usage although it returns with -EROFS when default mounting a MMC/SD card with write protect switch on. This reference counting bug prevents /dev/mmcblkX from being released on card removal, and situation worsen with reinsertion until the minor number range runs out. Reported-by: Acked-by: Pierre Ossman Cc: [2.6.25.x, 2.6.26.x] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds --- drivers/mmc/card/block.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'drivers/mmc') diff --git a/drivers/mmc/card/block.c b/drivers/mmc/card/block.c index 86dbb36..6986f39 100644 --- a/drivers/mmc/card/block.c +++ b/drivers/mmc/card/block.c @@ -103,8 +103,10 @@ static int mmc_blk_open(struct inode *inode, struct file *filp) check_disk_change(inode->i_bdev); ret = 0; - if ((filp->f_mode & FMODE_WRITE) && md->read_only) + if ((filp->f_mode & FMODE_WRITE) && md->read_only) { + mmc_blk_put(md); ret = -EROFS; + } } return ret; -- cgit v1.1