* [PATCH] mmc: fix null pointer use in mmc_blk_remove_req
@ 2013-07-24 13:17 franck.jullien
2013-07-25 7:20 ` Franck Jullien
2013-08-25 3:22 ` Chris Ball
0 siblings, 2 replies; 7+ messages in thread
From: franck.jullien @ 2013-07-24 13:17 UTC (permalink / raw)
To: linux-mmc; +Cc: Franck Jullien
From: Franck Jullien <franck.jullien@gmail.com>
A previous commit (fdfa20c1631210d0) reordered the
shutdown sequence in mmc_blk_remove_req. However,
mmc_cleanup_queue is now called before we get the
card pointer and, sadly, mmc_cleanup_queue set
mq->card to NULL.
This patch moves the card pointer assignment before
mmc_cleanup_queue.
Signed-off-by: Franck Jullien <franck.jullien@gmail.com>
---
drivers/mmc/card/block.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/drivers/mmc/card/block.c b/drivers/mmc/card/block.c
index cd0b7f4..f4a0bea 100644
--- a/drivers/mmc/card/block.c
+++ b/drivers/mmc/card/block.c
@@ -2191,10 +2191,10 @@ static void mmc_blk_remove_req(struct mmc_blk_data *md)
* is freeing the queue that stops new requests
* from being accepted.
*/
+ card = md->queue.card;
mmc_cleanup_queue(&md->queue);
if (md->flags & MMC_BLK_PACKED_CMD)
mmc_packed_clean(&md->queue);
- card = md->queue.card;
if (md->disk->flags & GENHD_FL_UP) {
device_remove_file(disk_to_dev(md->disk), &md->force_ro);
if ((md->area_type & MMC_BLK_DATA_AREA_BOOT) &&
--
1.7.1
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH] mmc: fix null pointer use in mmc_blk_remove_req
2013-07-24 13:17 [PATCH] mmc: fix null pointer use in mmc_blk_remove_req franck.jullien
@ 2013-07-25 7:20 ` Franck Jullien
2013-08-25 3:22 ` Chris Ball
1 sibling, 0 replies; 7+ messages in thread
From: Franck Jullien @ 2013-07-25 7:20 UTC (permalink / raw)
To: linux-mmc; +Cc: taysom
2013/7/24 <franck.jullien@gmail.com>:
> From: Franck Jullien <franck.jullien@gmail.com>
>
> A previous commit (fdfa20c1631210d0) reordered the
> shutdown sequence in mmc_blk_remove_req. However,
> mmc_cleanup_queue is now called before we get the
> card pointer and, sadly, mmc_cleanup_queue set
> mq->card to NULL.
>
> This patch moves the card pointer assignment before
> mmc_cleanup_queue.
>
> Signed-off-by: Franck Jullien <franck.jullien@gmail.com>
> ---
> drivers/mmc/card/block.c | 2 +-
> 1 files changed, 1 insertions(+), 1 deletions(-)
>
> diff --git a/drivers/mmc/card/block.c b/drivers/mmc/card/block.c
> index cd0b7f4..f4a0bea 100644
> --- a/drivers/mmc/card/block.c
> +++ b/drivers/mmc/card/block.c
> @@ -2191,10 +2191,10 @@ static void mmc_blk_remove_req(struct mmc_blk_data *md)
> * is freeing the queue that stops new requests
> * from being accepted.
> */
> + card = md->queue.card;
> mmc_cleanup_queue(&md->queue);
> if (md->flags & MMC_BLK_PACKED_CMD)
> mmc_packed_clean(&md->queue);
> - card = md->queue.card;
> if (md->disk->flags & GENHD_FL_UP) {
> device_remove_file(disk_to_dev(md->disk), &md->force_ro);
> if ((md->area_type & MMC_BLK_DATA_AREA_BOOT) &&
> --
> 1.7.1
>
This is how I got this (mmc_test is unusable right now):
/ # echo mmc0:0001 > /sys/bus/mmc/drivers/mmcblk/unbind
Unable to handle kernel paging request for data at address 0x000001f0
Faulting instruction address: 0xc0316bf4
Oops: Kernel access of bad area, sig: 11 [#1]
P1020 RDB
Modules linked in:
CPU: 0 PID: 1237 Comm: echo Not tainted 3.10.0-next-20130709-dirty #12
task: ef3489c0 ti: ef2e0000 task.ti: ef2e0000
NIP: c0316bf4 LR: c0316be8 CTR: 00000000
REGS: ef2e1d70 TRAP: 0300 Not tainted (3.10.0-next-20130709-dirty)
MSR: 00029000 <CE,EE,ME> CR: 42004042 XER: 20000000
DEAR: 000001f0, ESR: 00000000
GPR00: c0316be8 ef2e1e20 ef3489c0 00000000 ef2de9b0 c05612e4 00000000 00000000
GPR08: ef3728d0 00000002 00000002 00000000 00001aee 10174934 00000000 00000000
GPR16: 00000000 00000000 10133928 1015718e bfe9c268 1017221c 00000000 00000001
GPR24: 00000001 c0476384 ef2e1f18 ef2b6060 00100100 00200200 00000000 ef2f1800
NIP [c0316bf4] mmc_blk_remove_req+0x90/0xbc
LR [c0316be8] mmc_blk_remove_req+0x84/0xbc
Call Trace:
[ef2e1e20] [c0316be8] mmc_blk_remove_req+0x84/0xbc (unreliable)
[ef2e1e30] [c03183c8] mmc_blk_remove_parts.isra.22+0x88/0xac
[ef2e1e50] [c0318414] mmc_blk_remove+0x28/0xc8
[ef2e1e70] [c030b5b4] mmc_bus_remove+0x20/0x34
[ef2e1e80] [c024c5ac] __device_release_driver+0x68/0x114
[ef2e1e90] [c024c680] device_release_driver+0x28/0x40
[ef2e1ea0] [c024b370] driver_unbind+0x64/0xd0
[ef2e1ec0] [c0120010] sysfs_write_file+0xfc/0x190
[ef2e1ef0] [c00c82fc] vfs_write+0xc8/0x1b0
[ef2e1f10] [c00c876c] SyS_write+0x4c/0xac
[ef2e1f40] [c000d318] ret_from_syscall+0x0/0x3c
--- Exception: c01 at 0x100bd3e8
LR = 0x1008a4d8
Instruction dump:
48003c81 807f0000 83df0004 812301ac 712a0010 4182ffd0 38630068 389f027c
4bf31e79 813f029c 712a0002 41a2ffb8 <893e01f0> 2f890000 419effac 807f0000
---[ end trace 2908d8b93b8cdd75 ]---
Segmentation fault
Franck.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] mmc: fix null pointer use in mmc_blk_remove_req
2013-07-24 13:17 [PATCH] mmc: fix null pointer use in mmc_blk_remove_req franck.jullien
2013-07-25 7:20 ` Franck Jullien
@ 2013-08-25 3:22 ` Chris Ball
2013-10-07 8:48 ` Adrian Hunter
` (2 more replies)
1 sibling, 3 replies; 7+ messages in thread
From: Chris Ball @ 2013-08-25 3:22 UTC (permalink / raw)
To: franck.jullien; +Cc: linux-mmc
Hi Franck,
On Wed, Jul 24 2013, franck.jullien@gmail.com wrote:
> From: Franck Jullien <franck.jullien@gmail.com>
>
> A previous commit (fdfa20c1631210d0) reordered the
> shutdown sequence in mmc_blk_remove_req. However,
> mmc_cleanup_queue is now called before we get the
> card pointer and, sadly, mmc_cleanup_queue set
> mq->card to NULL.
>
> This patch moves the card pointer assignment before
> mmc_cleanup_queue.
>
> Signed-off-by: Franck Jullien <franck.jullien@gmail.com>
> ---
> drivers/mmc/card/block.c | 2 +-
> 1 files changed, 1 insertions(+), 1 deletions(-)
>
> diff --git a/drivers/mmc/card/block.c b/drivers/mmc/card/block.c
> index cd0b7f4..f4a0bea 100644
> --- a/drivers/mmc/card/block.c
> +++ b/drivers/mmc/card/block.c
> @@ -2191,10 +2191,10 @@ static void mmc_blk_remove_req(struct mmc_blk_data *md)
> * is freeing the queue that stops new requests
> * from being accepted.
> */
> + card = md->queue.card;
> mmc_cleanup_queue(&md->queue);
> if (md->flags & MMC_BLK_PACKED_CMD)
> mmc_packed_clean(&md->queue);
> - card = md->queue.card;
> if (md->disk->flags & GENHD_FL_UP) {
> device_remove_file(disk_to_dev(md->disk), &md->force_ro);
> if ((md->area_type & MMC_BLK_DATA_AREA_BOOT) &&
Thanks for the patch, pushed to mmc-next for 3.12.
- Chris.
--
Chris Ball <cjb@laptop.org> <http://printf.net/>
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] mmc: fix null pointer use in mmc_blk_remove_req
2013-08-25 3:22 ` Chris Ball
@ 2013-10-07 8:48 ` Adrian Hunter
2013-10-07 8:50 ` Adrian Hunter
2013-10-07 8:54 ` Adrian Hunter
2 siblings, 0 replies; 7+ messages in thread
From: Adrian Hunter @ 2013-10-07 8:48 UTC (permalink / raw)
To: linux-stable; +Cc: Chris Ball, franck.jullien, linux-mmc
On 25/08/13 06:22, Chris Ball wrote:
> Hi Franck,
>
> On Wed, Jul 24 2013, franck.jullien@gmail.com wrote:
>> From: Franck Jullien <franck.jullien@gmail.com>
>>
>> A previous commit (fdfa20c1631210d0) reordered the
>> shutdown sequence in mmc_blk_remove_req. However,
>> mmc_cleanup_queue is now called before we get the
>> card pointer and, sadly, mmc_cleanup_queue set
>> mq->card to NULL.
>>
>> This patch moves the card pointer assignment before
>> mmc_cleanup_queue.
>>
>> Signed-off-by: Franck Jullien <franck.jullien@gmail.com>
>> ---
>> drivers/mmc/card/block.c | 2 +-
>> 1 files changed, 1 insertions(+), 1 deletions(-)
>>
>> diff --git a/drivers/mmc/card/block.c b/drivers/mmc/card/block.c
>> index cd0b7f4..f4a0bea 100644
>> --- a/drivers/mmc/card/block.c
>> +++ b/drivers/mmc/card/block.c
>> @@ -2191,10 +2191,10 @@ static void mmc_blk_remove_req(struct mmc_blk_data *md)
>> * is freeing the queue that stops new requests
>> * from being accepted.
>> */
>> + card = md->queue.card;
>> mmc_cleanup_queue(&md->queue);
>> if (md->flags & MMC_BLK_PACKED_CMD)
>> mmc_packed_clean(&md->queue);
>> - card = md->queue.card;
>> if (md->disk->flags & GENHD_FL_UP) {
>> device_remove_file(disk_to_dev(md->disk), &md->force_ro);
>> if ((md->area_type & MMC_BLK_DATA_AREA_BOOT) &&
>
> Thanks for the patch, pushed to mmc-next for 3.12.
Hi
The regression is in 3.11, and causes an oops (see below)
Adding linux-stable
The fix is now in linus' tree with commit id:
8efb83a2f8518a6ffcc074177f8d659c5165ef37
Please cherry-pick this for 3.11
[ 107.814928] BUG: unable to handle kernel NULL pointer dereference at 0000000000000398
[ 107.823706] IP: [<ffffffffa000d201>] mmc_blk_remove_req+0x56/0x8b [mmc_block]
[ 107.831709] PGD 134323067 PUD 1343c2067 PMD 0
[ 107.836703] Oops: 0000 [#1] PREEMPT SMP
[ 107.841098] Modules linked in: sdhci_acpi(-) mmc_block sdhci
[ 107.847468] CPU: 1 PID: 133 Comm: rmmod Not tainted 3.11.3+ #15
[ 107.854090] task: ffff8801341dc440 ti: ffff88013426c000 task.ti: ffff88013426c000
[ 107.862456] RIP: 0010:[<ffffffffa000d201>] [<ffffffffa000d201>] mmc_blk_remove_req+0x56/0x8b [mmc_block]
[ 107.873172] RSP: 0018:ffff88013426dbe8 EFLAGS: 00010202
[ 107.879111] RAX: ffff8801341e63a8 RBX: ffff8801341e6000 RCX: 00000000000160a0
[ 107.887088] RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000023
[ 107.895058] RBP: ffff88013426dbf8 R08: ffff88013b443180 R09: ffff88013426dfd8
[ 107.903035] R10: 000000000000273c R11: ffff880134330e00 R12: 0000000000000000
[ 107.911005] R13: ffff8801341e5000 R14: ffffffffa001c098 R15: 0000000000000000
[ 107.918985] FS: 00007f9bab888700(0000) GS:ffff88013fc80000(0000) knlGS:0000000000000000
[ 107.928031] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[ 107.934455] CR2: 0000000000000398 CR3: 0000000134263000 CR4: 00000000001007e0
[ 107.942422] Stack:
[ 107.944669] ffff8801341e5ba8 ffff8801341e53a8 ffff88013426dc18 ffffffffa000dbfa
[ 107.952965] ffff8801341e4800 ffff8801341e4808 ffff88013426dc48 ffffffffa000fca0
[ 107.961260] 000000000000bbc9 ffff8801341e4808 ffffffffa0012010 ffffffff81a82210
[ 107.969556] Call Trace:
[ 107.972307] [<ffffffffa000dbfa>] mmc_blk_remove_parts.isra.16+0x5c/0x6c [mmc_block]
[ 107.980980] [<ffffffffa000fca0>] mmc_blk_remove+0x25/0xa9 [mmc_block]
[ 107.988289] [<ffffffff8140dd6c>] mmc_bus_remove+0x15/0x19
[ 107.994432] [<ffffffff812f14a8>] __device_release_driver+0x86/0xdc
[ 108.001448] [<ffffffff812f175d>] device_release_driver+0x1e/0x2b
[ 108.008269] [<ffffffff812f10bc>] bus_remove_device+0xe5/0xfa
[ 108.014701] [<ffffffff812eeb96>] device_del+0x12c/0x186
[ 108.020646] [<ffffffff8140e2cc>] mmc_remove_card+0x66/0x76
[ 108.026884] [<ffffffff8140ec55>] mmc_remove+0x23/0x32
[ 108.032636] [<ffffffff8140dbb2>] mmc_stop_host+0x58/0x9f
[ 108.038678] [<ffffffff8140e301>] mmc_remove_host+0x1d/0x3e
[ 108.044923] [<ffffffffa0001d76>] sdhci_remove_host+0x94/0x122 [sdhci]
[ 108.052235] [<ffffffffa001a145>] sdhci_acpi_remove+0x79/0x8b [sdhci_acpi]
[ 108.059932] [<ffffffff812f2e50>] platform_drv_remove+0x1a/0x3e
[ 108.066559] [<ffffffff812f14a8>] __device_release_driver+0x86/0xdc
[ 108.073574] [<ffffffff812f1c9f>] driver_detach+0x81/0xb2
[ 108.079611] [<ffffffff812f1357>] bus_remove_driver+0x6f/0xb4
[ 108.086045] [<ffffffffa001a568>] ? sdhci_acpi_probe+0x411/0x411 [sdhci_acpi]
[ 108.094031] [<ffffffff812f20a3>] driver_unregister+0x4e/0x73
[ 108.100464] [<ffffffff812f2d26>] platform_driver_unregister+0xd/0xf
[ 108.107578] [<ffffffffa001a578>] sdhci_acpi_driver_exit+0x10/0xa98 [sdhci_acpi]
[ 108.115859] [<ffffffff8107eac3>] SyS_delete_module+0x1b6/0x244
[ 108.122488] [<ffffffff8102c638>] ? do_page_fault+0x9/0xd
[ 108.128535] [<ffffffff815cd052>] system_call_fastpath+0x16/0x1b
[ 108.135250] Code: 00 48 8b 7b 08 4c 8b 63 10 f6 87 60 03 00 00 10 74 41 48 8d b3 d8 03 00 00 48 83 c7 70 e8 26 10 2e e1 f6 83 18 04 00 00 02 74 1f <41> 80 bc 24 98 03 00 00 00 74 14 48 8b 7b 08 48 8d b3 f8 03 00
[ 108.156804] RIP [<ffffffffa000d201>] mmc_blk_remove_req+0x56/0x8b [mmc_block]
[ 108.164895] RSP <ffff88013426dbe8>
[ 108.168794] CR2: 0000000000000398
[ 108.174595] ---[ end trace b9c7313fc09b25d8 ]---
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] mmc: fix null pointer use in mmc_blk_remove_req
2013-08-25 3:22 ` Chris Ball
2013-10-07 8:48 ` Adrian Hunter
@ 2013-10-07 8:50 ` Adrian Hunter
2013-10-07 8:54 ` Adrian Hunter
2 siblings, 0 replies; 7+ messages in thread
From: Adrian Hunter @ 2013-10-07 8:50 UTC (permalink / raw)
To: linux-stable; +Cc: Chris Ball, franck.jullien, linux-mmc
On 25/08/13 06:22, Chris Ball wrote:
> Hi Franck,
>
> On Wed, Jul 24 2013, franck.jullien@gmail.com wrote:
>> From: Franck Jullien <franck.jullien@gmail.com>
>>
>> A previous commit (fdfa20c1631210d0) reordered the
>> shutdown sequence in mmc_blk_remove_req. However,
>> mmc_cleanup_queue is now called before we get the
>> card pointer and, sadly, mmc_cleanup_queue set
>> mq->card to NULL.
>>
>> This patch moves the card pointer assignment before
>> mmc_cleanup_queue.
>>
>> Signed-off-by: Franck Jullien <franck.jullien@gmail.com>
>> ---
>> drivers/mmc/card/block.c | 2 +-
>> 1 files changed, 1 insertions(+), 1 deletions(-)
>>
>> diff --git a/drivers/mmc/card/block.c b/drivers/mmc/card/block.c
>> index cd0b7f4..f4a0bea 100644
>> --- a/drivers/mmc/card/block.c
>> +++ b/drivers/mmc/card/block.c
>> @@ -2191,10 +2191,10 @@ static void mmc_blk_remove_req(struct mmc_blk_data *md)
>> * is freeing the queue that stops new requests
>> * from being accepted.
>> */
>> + card = md->queue.card;
>> mmc_cleanup_queue(&md->queue);
>> if (md->flags & MMC_BLK_PACKED_CMD)
>> mmc_packed_clean(&md->queue);
>> - card = md->queue.card;
>> if (md->disk->flags & GENHD_FL_UP) {
>> device_remove_file(disk_to_dev(md->disk), &md->force_ro);
>> if ((md->area_type & MMC_BLK_DATA_AREA_BOOT) &&
>
> Thanks for the patch, pushed to mmc-next for 3.12.
>
> - Chris.
>
Hi
The regression is in 3.11, and causes an oops (see below)
Adding linux-stable (correctly this time!)
The fix is now in linus' tree with commit id:
8efb83a2f8518a6ffcc074177f8d659c5165ef37
Please cherry-pick this for 3.11
[ 107.814928] BUG: unable to handle kernel NULL pointer dereference at 0000000000000398
[ 107.823706] IP: [<ffffffffa000d201>] mmc_blk_remove_req+0x56/0x8b [mmc_block]
[ 107.831709] PGD 134323067 PUD 1343c2067 PMD 0
[ 107.836703] Oops: 0000 [#1] PREEMPT SMP
[ 107.841098] Modules linked in: sdhci_acpi(-) mmc_block sdhci
[ 107.847468] CPU: 1 PID: 133 Comm: rmmod Not tainted 3.11.3+ #15
[ 107.854090] task: ffff8801341dc440 ti: ffff88013426c000 task.ti: ffff88013426c000
[ 107.862456] RIP: 0010:[<ffffffffa000d201>] [<ffffffffa000d201>] mmc_blk_remove_req+0x56/0x8b [mmc_block]
[ 107.873172] RSP: 0018:ffff88013426dbe8 EFLAGS: 00010202
[ 107.879111] RAX: ffff8801341e63a8 RBX: ffff8801341e6000 RCX: 00000000000160a0
[ 107.887088] RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000023
[ 107.895058] RBP: ffff88013426dbf8 R08: ffff88013b443180 R09: ffff88013426dfd8
[ 107.903035] R10: 000000000000273c R11: ffff880134330e00 R12: 0000000000000000
[ 107.911005] R13: ffff8801341e5000 R14: ffffffffa001c098 R15: 0000000000000000
[ 107.918985] FS: 00007f9bab888700(0000) GS:ffff88013fc80000(0000) knlGS:0000000000000000
[ 107.928031] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[ 107.934455] CR2: 0000000000000398 CR3: 0000000134263000 CR4: 00000000001007e0
[ 107.942422] Stack:
[ 107.944669] ffff8801341e5ba8 ffff8801341e53a8 ffff88013426dc18 ffffffffa000dbfa
[ 107.952965] ffff8801341e4800 ffff8801341e4808 ffff88013426dc48 ffffffffa000fca0
[ 107.961260] 000000000000bbc9 ffff8801341e4808 ffffffffa0012010 ffffffff81a82210
[ 107.969556] Call Trace:
[ 107.972307] [<ffffffffa000dbfa>] mmc_blk_remove_parts.isra.16+0x5c/0x6c [mmc_block]
[ 107.980980] [<ffffffffa000fca0>] mmc_blk_remove+0x25/0xa9 [mmc_block]
[ 107.988289] [<ffffffff8140dd6c>] mmc_bus_remove+0x15/0x19
[ 107.994432] [<ffffffff812f14a8>] __device_release_driver+0x86/0xdc
[ 108.001448] [<ffffffff812f175d>] device_release_driver+0x1e/0x2b
[ 108.008269] [<ffffffff812f10bc>] bus_remove_device+0xe5/0xfa
[ 108.014701] [<ffffffff812eeb96>] device_del+0x12c/0x186
[ 108.020646] [<ffffffff8140e2cc>] mmc_remove_card+0x66/0x76
[ 108.026884] [<ffffffff8140ec55>] mmc_remove+0x23/0x32
[ 108.032636] [<ffffffff8140dbb2>] mmc_stop_host+0x58/0x9f
[ 108.038678] [<ffffffff8140e301>] mmc_remove_host+0x1d/0x3e
[ 108.044923] [<ffffffffa0001d76>] sdhci_remove_host+0x94/0x122 [sdhci]
[ 108.052235] [<ffffffffa001a145>] sdhci_acpi_remove+0x79/0x8b [sdhci_acpi]
[ 108.059932] [<ffffffff812f2e50>] platform_drv_remove+0x1a/0x3e
[ 108.066559] [<ffffffff812f14a8>] __device_release_driver+0x86/0xdc
[ 108.073574] [<ffffffff812f1c9f>] driver_detach+0x81/0xb2
[ 108.079611] [<ffffffff812f1357>] bus_remove_driver+0x6f/0xb4
[ 108.086045] [<ffffffffa001a568>] ? sdhci_acpi_probe+0x411/0x411 [sdhci_acpi]
[ 108.094031] [<ffffffff812f20a3>] driver_unregister+0x4e/0x73
[ 108.100464] [<ffffffff812f2d26>] platform_driver_unregister+0xd/0xf
[ 108.107578] [<ffffffffa001a578>] sdhci_acpi_driver_exit+0x10/0xa98 [sdhci_acpi]
[ 108.115859] [<ffffffff8107eac3>] SyS_delete_module+0x1b6/0x244
[ 108.122488] [<ffffffff8102c638>] ? do_page_fault+0x9/0xd
[ 108.128535] [<ffffffff815cd052>] system_call_fastpath+0x16/0x1b
[ 108.135250] Code: 00 48 8b 7b 08 4c 8b 63 10 f6 87 60 03 00 00 10 74 41 48 8d b3 d8 03 00 00 48 83 c7 70 e8 26 10 2e e1 f6 83 18 04 00 00 02 74 1f <41> 80 bc 24 98 03 00 00 00 74 14 48 8b 7b 08 48 8d b3 f8 03 00
[ 108.156804] RIP [<ffffffffa000d201>] mmc_blk_remove_req+0x56/0x8b [mmc_block]
[ 108.164895] RSP <ffff88013426dbe8>
[ 108.168794] CR2: 0000000000000398
[ 108.174595] ---[ end trace b9c7313fc09b25d8 ]---
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] mmc: fix null pointer use in mmc_blk_remove_req
2013-08-25 3:22 ` Chris Ball
2013-10-07 8:48 ` Adrian Hunter
2013-10-07 8:50 ` Adrian Hunter
@ 2013-10-07 8:54 ` Adrian Hunter
2013-10-10 23:18 ` Greg KH
2 siblings, 1 reply; 7+ messages in thread
From: Adrian Hunter @ 2013-10-07 8:54 UTC (permalink / raw)
To: stable; +Cc: Chris Ball, franck.jullien, linux-mmc
On 25/08/13 06:22, Chris Ball wrote:
> Hi Franck,
>
> On Wed, Jul 24 2013, franck.jullien@gmail.com wrote:
>> From: Franck Jullien <franck.jullien@gmail.com>
>>
>> A previous commit (fdfa20c1631210d0) reordered the
>> shutdown sequence in mmc_blk_remove_req. However,
>> mmc_cleanup_queue is now called before we get the
>> card pointer and, sadly, mmc_cleanup_queue set
>> mq->card to NULL.
>>
>> This patch moves the card pointer assignment before
>> mmc_cleanup_queue.
>>
>> Signed-off-by: Franck Jullien <franck.jullien@gmail.com>
>> ---
>> drivers/mmc/card/block.c | 2 +-
>> 1 files changed, 1 insertions(+), 1 deletions(-)
>>
>> diff --git a/drivers/mmc/card/block.c b/drivers/mmc/card/block.c
>> index cd0b7f4..f4a0bea 100644
>> --- a/drivers/mmc/card/block.c
>> +++ b/drivers/mmc/card/block.c
>> @@ -2191,10 +2191,10 @@ static void mmc_blk_remove_req(struct mmc_blk_data *md)
>> * is freeing the queue that stops new requests
>> * from being accepted.
>> */
>> + card = md->queue.card;
>> mmc_cleanup_queue(&md->queue);
>> if (md->flags & MMC_BLK_PACKED_CMD)
>> mmc_packed_clean(&md->queue);
>> - card = md->queue.card;
>> if (md->disk->flags & GENHD_FL_UP) {
>> device_remove_file(disk_to_dev(md->disk), &md->force_ro);
>> if ((md->area_type & MMC_BLK_DATA_AREA_BOOT) &&
>
> Thanks for the patch, pushed to mmc-next for 3.12.
>
> - Chris.
>
Hi
The regression is in 3.11, and causes an oops (see below)
Adding linux-stable (third time lucky?!?!)
The fix is now in linus' tree with commit id:
8efb83a2f8518a6ffcc074177f8d659c5165ef37
Please cherry-pick this for 3.11
[ 107.814928] BUG: unable to handle kernel NULL pointer dereference at 0000000000000398
[ 107.823706] IP: [<ffffffffa000d201>] mmc_blk_remove_req+0x56/0x8b [mmc_block]
[ 107.831709] PGD 134323067 PUD 1343c2067 PMD 0
[ 107.836703] Oops: 0000 [#1] PREEMPT SMP
[ 107.841098] Modules linked in: sdhci_acpi(-) mmc_block sdhci
[ 107.847468] CPU: 1 PID: 133 Comm: rmmod Not tainted 3.11.3+ #15
[ 107.854090] task: ffff8801341dc440 ti: ffff88013426c000 task.ti: ffff88013426c000
[ 107.862456] RIP: 0010:[<ffffffffa000d201>] [<ffffffffa000d201>] mmc_blk_remove_req+0x56/0x8b [mmc_block]
[ 107.873172] RSP: 0018:ffff88013426dbe8 EFLAGS: 00010202
[ 107.879111] RAX: ffff8801341e63a8 RBX: ffff8801341e6000 RCX: 00000000000160a0
[ 107.887088] RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000023
[ 107.895058] RBP: ffff88013426dbf8 R08: ffff88013b443180 R09: ffff88013426dfd8
[ 107.903035] R10: 000000000000273c R11: ffff880134330e00 R12: 0000000000000000
[ 107.911005] R13: ffff8801341e5000 R14: ffffffffa001c098 R15: 0000000000000000
[ 107.918985] FS: 00007f9bab888700(0000) GS:ffff88013fc80000(0000) knlGS:0000000000000000
[ 107.928031] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[ 107.934455] CR2: 0000000000000398 CR3: 0000000134263000 CR4: 00000000001007e0
[ 107.942422] Stack:
[ 107.944669] ffff8801341e5ba8 ffff8801341e53a8 ffff88013426dc18 ffffffffa000dbfa
[ 107.952965] ffff8801341e4800 ffff8801341e4808 ffff88013426dc48 ffffffffa000fca0
[ 107.961260] 000000000000bbc9 ffff8801341e4808 ffffffffa0012010 ffffffff81a82210
[ 107.969556] Call Trace:
[ 107.972307] [<ffffffffa000dbfa>] mmc_blk_remove_parts.isra.16+0x5c/0x6c [mmc_block]
[ 107.980980] [<ffffffffa000fca0>] mmc_blk_remove+0x25/0xa9 [mmc_block]
[ 107.988289] [<ffffffff8140dd6c>] mmc_bus_remove+0x15/0x19
[ 107.994432] [<ffffffff812f14a8>] __device_release_driver+0x86/0xdc
[ 108.001448] [<ffffffff812f175d>] device_release_driver+0x1e/0x2b
[ 108.008269] [<ffffffff812f10bc>] bus_remove_device+0xe5/0xfa
[ 108.014701] [<ffffffff812eeb96>] device_del+0x12c/0x186
[ 108.020646] [<ffffffff8140e2cc>] mmc_remove_card+0x66/0x76
[ 108.026884] [<ffffffff8140ec55>] mmc_remove+0x23/0x32
[ 108.032636] [<ffffffff8140dbb2>] mmc_stop_host+0x58/0x9f
[ 108.038678] [<ffffffff8140e301>] mmc_remove_host+0x1d/0x3e
[ 108.044923] [<ffffffffa0001d76>] sdhci_remove_host+0x94/0x122 [sdhci]
[ 108.052235] [<ffffffffa001a145>] sdhci_acpi_remove+0x79/0x8b [sdhci_acpi]
[ 108.059932] [<ffffffff812f2e50>] platform_drv_remove+0x1a/0x3e
[ 108.066559] [<ffffffff812f14a8>] __device_release_driver+0x86/0xdc
[ 108.073574] [<ffffffff812f1c9f>] driver_detach+0x81/0xb2
[ 108.079611] [<ffffffff812f1357>] bus_remove_driver+0x6f/0xb4
[ 108.086045] [<ffffffffa001a568>] ? sdhci_acpi_probe+0x411/0x411 [sdhci_acpi]
[ 108.094031] [<ffffffff812f20a3>] driver_unregister+0x4e/0x73
[ 108.100464] [<ffffffff812f2d26>] platform_driver_unregister+0xd/0xf
[ 108.107578] [<ffffffffa001a578>] sdhci_acpi_driver_exit+0x10/0xa98 [sdhci_acpi]
[ 108.115859] [<ffffffff8107eac3>] SyS_delete_module+0x1b6/0x244
[ 108.122488] [<ffffffff8102c638>] ? do_page_fault+0x9/0xd
[ 108.128535] [<ffffffff815cd052>] system_call_fastpath+0x16/0x1b
[ 108.135250] Code: 00 48 8b 7b 08 4c 8b 63 10 f6 87 60 03 00 00 10 74 41 48 8d b3 d8 03 00 00 48 83 c7 70 e8 26 10 2e e1 f6 83 18 04 00 00 02 74 1f <41> 80 bc 24 98 03 00 00 00 74 14 48 8b 7b 08 48 8d b3 f8 03 00
[ 108.156804] RIP [<ffffffffa000d201>] mmc_blk_remove_req+0x56/0x8b [mmc_block]
[ 108.164895] RSP <ffff88013426dbe8>
[ 108.168794] CR2: 0000000000000398
[ 108.174595] ---[ end trace b9c7313fc09b25d8 ]---
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] mmc: fix null pointer use in mmc_blk_remove_req
2013-10-07 8:54 ` Adrian Hunter
@ 2013-10-10 23:18 ` Greg KH
0 siblings, 0 replies; 7+ messages in thread
From: Greg KH @ 2013-10-10 23:18 UTC (permalink / raw)
To: Adrian Hunter; +Cc: stable, Chris Ball, franck.jullien, linux-mmc
On Mon, Oct 07, 2013 at 11:54:11AM +0300, Adrian Hunter wrote:
> On 25/08/13 06:22, Chris Ball wrote:
> > Hi Franck,
> >
> > On Wed, Jul 24 2013, franck.jullien@gmail.com wrote:
> >> From: Franck Jullien <franck.jullien@gmail.com>
> >>
> >> A previous commit (fdfa20c1631210d0) reordered the
> >> shutdown sequence in mmc_blk_remove_req. However,
> >> mmc_cleanup_queue is now called before we get the
> >> card pointer and, sadly, mmc_cleanup_queue set
> >> mq->card to NULL.
> >>
> >> This patch moves the card pointer assignment before
> >> mmc_cleanup_queue.
> >>
> >> Signed-off-by: Franck Jullien <franck.jullien@gmail.com>
> >> ---
> >> drivers/mmc/card/block.c | 2 +-
> >> 1 files changed, 1 insertions(+), 1 deletions(-)
> >>
> >> diff --git a/drivers/mmc/card/block.c b/drivers/mmc/card/block.c
> >> index cd0b7f4..f4a0bea 100644
> >> --- a/drivers/mmc/card/block.c
> >> +++ b/drivers/mmc/card/block.c
> >> @@ -2191,10 +2191,10 @@ static void mmc_blk_remove_req(struct mmc_blk_data *md)
> >> * is freeing the queue that stops new requests
> >> * from being accepted.
> >> */
> >> + card = md->queue.card;
> >> mmc_cleanup_queue(&md->queue);
> >> if (md->flags & MMC_BLK_PACKED_CMD)
> >> mmc_packed_clean(&md->queue);
> >> - card = md->queue.card;
> >> if (md->disk->flags & GENHD_FL_UP) {
> >> device_remove_file(disk_to_dev(md->disk), &md->force_ro);
> >> if ((md->area_type & MMC_BLK_DATA_AREA_BOOT) &&
> >
> > Thanks for the patch, pushed to mmc-next for 3.12.
> >
> > - Chris.
> >
>
> Hi
>
> The regression is in 3.11, and causes an oops (see below)
> Adding linux-stable (third time lucky?!?!)
>
> The fix is now in linus' tree with commit id:
>
> 8efb83a2f8518a6ffcc074177f8d659c5165ef37
>
> Please cherry-pick this for 3.11
Now applied, thanks.
greg k-h
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2013-10-10 23:18 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2013-07-24 13:17 [PATCH] mmc: fix null pointer use in mmc_blk_remove_req franck.jullien
2013-07-25 7:20 ` Franck Jullien
2013-08-25 3:22 ` Chris Ball
2013-10-07 8:48 ` Adrian Hunter
2013-10-07 8:50 ` Adrian Hunter
2013-10-07 8:54 ` Adrian Hunter
2013-10-10 23:18 ` Greg KH
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.