[ARM] 5022/1: Race in ARM MMCI PL18x driver, V2

Updated version of 4446/1. This also drops the suggested comparison
of host_remain for == 0, since that doesn't make sense (still works
for us, too). We have verified that this patch solve race problems
on atleast 2 archs at high frequencies.

(Verbatim copy of old patch text below.)

The patch below fixes a race condition in the ARM MMCI PL18x driver.

If new data arrives in the FIFO while existing data is being read then
we get a second iteration of the loop in mmci_pio_read.

However host->size is not updated until after mmci_pio_read returns,
so we get count = number of new bytes PLUS number of bytes already
copied in the first iteration. This results in a FIFO underrun as
we try and read mode data than is available.

The fix is to compensating for data read on previous iterations
when calculating the amount of data in the FIFO.

Signed-off-by: Linus Walleij <triad@df.lth.se>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>

diff --git a/drivers/mmc/host/mmci.c b/drivers/mmc/host/mmci.c
index 95244a7..626ac08 100644 (file)
--- a/drivers/mmc/host/mmci.c
+++ b/drivers/mmc/host/mmci.c
@@ -213,9 +213,10 @@ static int mmci_pio_read(struct mmci_host *host, char *buffer, unsigned int rema
        void __iomem *base = host->base;
        char *ptr = buffer;
        u32 status;
+       int host_remain = host->size;
 
        do {
-               int count = host->size - (readl(base + MMCIFIFOCNT) << 2);
+               int count = host_remain - (readl(base + MMCIFIFOCNT) << 2);
 
                if (count > remain)
                        count = remain;
@@ -227,6 +228,7 @@ static int mmci_pio_read(struct mmci_host *host, char *buffer, unsigned int rema
 
                ptr += count;
                remain -= count;
+               host_remain -= count;
 
                if (remain == 0)
                        break;