Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

subsystem: sd: sd_ops: mutex unlocked twice after being locked only once #72287

Closed
clamattia opened this issue May 3, 2024 · 1 comment · Fixed by #72773
Closed

subsystem: sd: sd_ops: mutex unlocked twice after being locked only once #72287

clamattia opened this issue May 3, 2024 · 1 comment · Fixed by #72773
Assignees
@danieldegrasse
Labels
area: Disk Access bug The issue is a bug, or the PR is fixing a bug priority: medium Medium impact/importance bug

Comments

@clamattia
Copy link

clamattia commented May 3, 2024
edited

The function card_read in subsys/sd/sd_ops.c unlocks the &card->lock if the sdmmc_wait_ready operation fails.
It does so without having locked it first. It is locked by the caller once but also unlocked again after the card_read function call no matter the result. This means, that there is a code-path that would unlock it twice after having it locked only once.

Expected Fix: Remove the unlock call from card_read. It might be a forgotten line when refactoring.

The impact depends on what happens if a lock is unlocked one time too many. Might be Undefined Behavior.

Please let me know, if you need additional information. Thank you.

Edit: Apparently it will fail with -EINVAL.
@clamattia clamattia added the bug The issue is a bug, or the PR is fixing a bug label May 3, 2024
@andyross
Copy link
Contributor

andyross commented May 3, 2024

This came up via discord. Indeed, this looks like a mixed up unlock call to me, maybe a leftover of a previous variant. It's likely benign as the function will fail with an -EINVAL on the misatched unlock, though it does open the possibility of hijinx if it's possible to fool the subsystem into incorrectly releasing a correctly-held lock.

Relevant stray unlock is here: https://github.com/zephyrproject-rtos/zephyr/blob/main/subsys/sd/sd_ops.c#L538

@clamattia clamattia mentioned this issue May 6, 2024
Closed
@nashif nashif added the priority: medium Medium impact/importance bug label May 7, 2024
danieldegrasse added a commit to nxp-upstream/zephyr that referenced this issue May 14, 2024
@danieldegrasse
sd: sd_ops: remove additional unlock call within card_read()
024ced4 
SD ops card_read() implementation does not need to unlock mutex, as this
is managed by the calling function card_write_blocks. Remove this stray
k_mutex_unlock() call.

Fixes zephyrproject-rtos#72287

Signed-off-by: Daniel DeGrasse <[email protected]>
@danieldegrasse danieldegrasse mentioned this issue May 14, 2024
Merged
mariopaja pushed a commit to mariopaja/zephyr that referenced this issue May 26, 2024
@danieldegrasse
sd: sd_ops: remove additional unlock call within card_read()
7d36e2a 
SD ops card_read() implementation does not need to unlock mutex, as this
is managed by the calling function card_write_blocks. Remove this stray
k_mutex_unlock() call.

Fixes zephyrproject-rtos#72287

Signed-off-by: Daniel DeGrasse <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@danieldegrasse danieldegrasse

Labels
area: Disk Access bug The issue is a bug, or the PR is fixing a bug priority: medium Medium impact/importance bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

sd: sd_ops: remove additional unlock call within card_read() nxp-upstream/zephyr
5 participants
@nashif @andyross @henrikbrixandersen @danieldegrasse @clamattia