Move claimed and retune control flags out of the bitfield word to
avoid unrelated RMW side effects in asynchronous contexts.

The host->claimed bit shared a word with retune flags. Writes to claimed
in __mmc_claim_host() or retune_now in mmc_mq_queue_rq() can overwrite
other bits when concurrent updates happen in other contexts, triggering
spurious WARN_ON(!host->claimed). Convert claimed, can_retune,
retune_now and retune_paused to bool to remove shared-word coupling.

Fixes: 6c0cedd1ef952 ("mmc: core: Introduce host claiming by context")
Fixes: 1e8e55b67030c ("mmc: block: Add CQE support")
Cc: stable@vger.kernel.org
Suggested-by: Adrian Hunter <adrian.hunter@intel.com>
Signed-off-by: Penghe Geng <pgeng@nvidia.com>
---
 include/linux/mmc/host.h | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/include/linux/mmc/host.h b/include/linux/mmc/host.h
index e0e2c265e5d1..ba84f02c2a10 100644
--- a/include/linux/mmc/host.h
+++ b/include/linux/mmc/host.h
@@ -486,14 +486,12 @@ struct mmc_host {
 
 	struct mmc_ios		ios;		/* current io bus settings */
 
+	bool			claimed;	/* host exclusively claimed */
+
 	/* group bitfields together to minimize padding */
 	unsigned int		use_spi_crc:1;
-	unsigned int		claimed:1;	/* host exclusively claimed */
 	unsigned int		doing_init_tune:1; /* initial tuning in progress */
-	unsigned int		can_retune:1;	/* re-tuning can be used */
 	unsigned int		doing_retune:1;	/* re-tuning in progress */
-	unsigned int		retune_now:1;	/* do re-tuning at next req */
-	unsigned int		retune_paused:1; /* re-tuning is temporarily disabled */
 	unsigned int		retune_crc_disable:1; /* don't trigger retune upon crc */
 	unsigned int		can_dma_map_merge:1; /* merging can be used */
 	unsigned int		vqmmc_enabled:1; /* vqmmc regulator is enabled */
@@ -508,6 +506,9 @@ struct mmc_host {
 	int			rescan_disable;	/* disable card detection */
 	int			rescan_entered;	/* used with nonremovable devices */
 
+	bool			can_retune;	/* re-tuning can be used */
+	bool			retune_now;	/* do re-tuning at next req */
+	bool			retune_paused;	/* re-tuning is temporarily disabled */
 	int			need_retune;	/* re-tuning is needed */
 	int			hold_retune;	/* hold off re-tuning */
 	unsigned int		retune_period;	/* re-tuning period in secs */
-- 
2.43.0

On Thu, 19 Feb 2026 at 21:31, Penghe Geng <pgeng@nvidia.com> wrote:
>
> Move claimed and retune control flags out of the bitfield word to
> avoid unrelated RMW side effects in asynchronous contexts.
>
> The host->claimed bit shared a word with retune flags. Writes to claimed
> in __mmc_claim_host() or retune_now in mmc_mq_queue_rq() can overwrite
> other bits when concurrent updates happen in other contexts, triggering
> spurious WARN_ON(!host->claimed). Convert claimed, can_retune,
> retune_now and retune_paused to bool to remove shared-word coupling.
>
> Fixes: 6c0cedd1ef952 ("mmc: core: Introduce host claiming by context")
> Fixes: 1e8e55b67030c ("mmc: block: Add CQE support")
> Cc: stable@vger.kernel.org
> Suggested-by: Adrian Hunter <adrian.hunter@intel.com>
> Signed-off-by: Penghe Geng <pgeng@nvidia.com>

Applied for fixes, thanks!

Kind regards
Uffe


> ---
>  include/linux/mmc/host.h | 9 +++++----
>  1 file changed, 5 insertions(+), 4 deletions(-)
>
> diff --git a/include/linux/mmc/host.h b/include/linux/mmc/host.h
> index e0e2c265e5d1..ba84f02c2a10 100644
> --- a/include/linux/mmc/host.h
> +++ b/include/linux/mmc/host.h
> @@ -486,14 +486,12 @@ struct mmc_host {
>
>         struct mmc_ios          ios;            /* current io bus settings */
>
> +       bool                    claimed;        /* host exclusively claimed */
> +
>         /* group bitfields together to minimize padding */
>         unsigned int            use_spi_crc:1;
> -       unsigned int            claimed:1;      /* host exclusively claimed */
>         unsigned int            doing_init_tune:1; /* initial tuning in progress */
> -       unsigned int            can_retune:1;   /* re-tuning can be used */
>         unsigned int            doing_retune:1; /* re-tuning in progress */
> -       unsigned int            retune_now:1;   /* do re-tuning at next req */
> -       unsigned int            retune_paused:1; /* re-tuning is temporarily disabled */
>         unsigned int            retune_crc_disable:1; /* don't trigger retune upon crc */
>         unsigned int            can_dma_map_merge:1; /* merging can be used */
>         unsigned int            vqmmc_enabled:1; /* vqmmc regulator is enabled */
> @@ -508,6 +506,9 @@ struct mmc_host {
>         int                     rescan_disable; /* disable card detection */
>         int                     rescan_entered; /* used with nonremovable devices */
>
> +       bool                    can_retune;     /* re-tuning can be used */
> +       bool                    retune_now;     /* do re-tuning at next req */
> +       bool                    retune_paused;  /* re-tuning is temporarily disabled */
>         int                     need_retune;    /* re-tuning is needed */
>         int                     hold_retune;    /* hold off re-tuning */
>         unsigned int            retune_period;  /* re-tuning period in secs */
> --
> 2.43.0
>
>

On 19/02/2026 22:29, Penghe Geng wrote:
> Move claimed and retune control flags out of the bitfield word to
> avoid unrelated RMW side effects in asynchronous contexts.
> 
> The host->claimed bit shared a word with retune flags. Writes to claimed
> in __mmc_claim_host() or retune_now in mmc_mq_queue_rq() can overwrite
> other bits when concurrent updates happen in other contexts, triggering
> spurious WARN_ON(!host->claimed). Convert claimed, can_retune,
> retune_now and retune_paused to bool to remove shared-word coupling.
> 
> Fixes: 6c0cedd1ef952 ("mmc: core: Introduce host claiming by context")
> Fixes: 1e8e55b67030c ("mmc: block: Add CQE support")
> Cc: stable@vger.kernel.org
> Suggested-by: Adrian Hunter <adrian.hunter@intel.com>
> Signed-off-by: Penghe Geng <pgeng@nvidia.com>

Acked-by: Adrian Hunter <adrian.hunter@intel.com>

> ---
>  include/linux/mmc/host.h | 9 +++++----
>  1 file changed, 5 insertions(+), 4 deletions(-)
> 
> diff --git a/include/linux/mmc/host.h b/include/linux/mmc/host.h
> index e0e2c265e5d1..ba84f02c2a10 100644
> --- a/include/linux/mmc/host.h
> +++ b/include/linux/mmc/host.h
> @@ -486,14 +486,12 @@ struct mmc_host {
>  
>  	struct mmc_ios		ios;		/* current io bus settings */
>  
> +	bool			claimed;	/* host exclusively claimed */
> +
>  	/* group bitfields together to minimize padding */
>  	unsigned int		use_spi_crc:1;
> -	unsigned int		claimed:1;	/* host exclusively claimed */
>  	unsigned int		doing_init_tune:1; /* initial tuning in progress */
> -	unsigned int		can_retune:1;	/* re-tuning can be used */
>  	unsigned int		doing_retune:1;	/* re-tuning in progress */
> -	unsigned int		retune_now:1;	/* do re-tuning at next req */
> -	unsigned int		retune_paused:1; /* re-tuning is temporarily disabled */
>  	unsigned int		retune_crc_disable:1; /* don't trigger retune upon crc */
>  	unsigned int		can_dma_map_merge:1; /* merging can be used */
>  	unsigned int		vqmmc_enabled:1; /* vqmmc regulator is enabled */
> @@ -508,6 +506,9 @@ struct mmc_host {
>  	int			rescan_disable;	/* disable card detection */
>  	int			rescan_entered;	/* used with nonremovable devices */
>  
> +	bool			can_retune;	/* re-tuning can be used */
> +	bool			retune_now;	/* do re-tuning at next req */
> +	bool			retune_paused;	/* re-tuning is temporarily disabled */
>  	int			need_retune;	/* re-tuning is needed */
>  	int			hold_retune;	/* hold off re-tuning */
>  	unsigned int		retune_period;	/* re-tuning period in secs */