From: "Bao D. Nguyen" <nguyenb@codeaurora.org>
To: ulf.hansson@linaro.org, robh+dt@kernel.org
Cc: linux-mmc@vger.kernel.org, linux-kernel@vger.kernel.org,
asutoshd@codeaurora.org, cang@codeaurora.org,
Sayali Lokhande <sayalil@codeaurora.org>,
"Bao D. Nguyen" <nguyenb@codeaurora.org>
Subject: [<PATCH v1> 5/9] mmc: core: fix one NULL pointer dereference after SD card is removed
Date: Mon, 16 Dec 2019 18:50:38 -0800 [thread overview]
Message-ID: <6373c3574eb80f2a760f23883196c309dacfa163.1576540908.git.nguyenb@codeaurora.org> (raw)
In-Reply-To: <cover.1576540906.git.nguyenb@codeaurora.org>
In-Reply-To: <cover.1576540906.git.nguyenb@codeaurora.org>
From: Can Guo <cang@codeaurora.org>
After SD card is removed, the driver would mark its queue DYING to try to
block further more requests from coming into the queue, then clean up its
queue's queuedata by setting it to NULL. However, there can still be new
requests come in right before the DYING mark is set after SD card is
removed. When one new request is allocated and initialized, the queuedata
would be accessed. If queuedata has been cleaned up already, NULL pointer
dereference would happen. This change fixes it by checking if queuedata is
NULL before accessing it, if yes, then bails out with error.
mmc0: card aaaa removed
Buffer I/O error on dev mmcblk0p1, logical block 1, lost async page write
Unable to handle kernel NULL pointer dereference at virtual address
00000000
Mem abort info:
Exception class = DABT (current EL), IL = 32 bits
SET = 0, FnV = 0
EA = 0, S1PTW = 0
Data abort info:
ISV = 0, ISS = 0x00000006
CM = 0, WnR = 0
user pgtable: 4k pages, 39-bit VAs, pgd = ffffffd7bbafa000
[0000000000000000] *pgd=0000000134331003, *pud=0000000134331003,
*pmd=0000000000000000
Internal error: Oops: 96000006 [#1] PREEMPT SMP
task: ffffffd77d193380 task.stack: ffffff8047e30000
pc : mmc_init_request+0x28/0x74
lr : alloc_request_size+0x4c/0x70
...
Process MediaScannerSer (pid: 4710, stack limit = 0xffffff8047e30000)
Call trace:
mmc_init_request+0x28/0x74
alloc_request_size+0x4c/0x70
mempool_alloc+0x104/0x184
get_request+0x324/0x75c
blk_queue_bio+0x154/0x398
generic_make_request+0xcc/0x228
submit_bio+0x13c/0x1d4.
Signed-off-by: Can Guo <cang@codeaurora.org>
Signed-off-by: Sayali Lokhande <sayalil@codeaurora.org>
Signed-off-by: Bao D. Nguyen <nguyenb@codeaurora.org>
---
drivers/mmc/core/queue.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/drivers/mmc/core/queue.c b/drivers/mmc/core/queue.c
index 846557b..a1de5f7 100644
--- a/drivers/mmc/core/queue.c
+++ b/drivers/mmc/core/queue.c
@@ -211,8 +211,11 @@ static int __mmc_init_request(struct mmc_queue *mq, struct request *req,
gfp_t gfp)
{
struct mmc_queue_req *mq_rq = req_to_mmc_queue_req(req);
- struct mmc_card *card = mq->card;
- struct mmc_host *host = card->host;
+ struct mmc_host *host;
+
+ if (!mq)
+ return -ENODEV;
+ host = mq->card->host;
mq_rq->sg = mmc_alloc_sg(mmc_get_max_segments(host), gfp);
if (!mq_rq->sg)
--
The Qualcomm Innovation Center, Inc. is a member of the Code Aurora Forum,
a Linux Foundation Collaborative Project
next prev parent reply other threads:[~2019-12-17 2:52 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-12-17 2:50 [<PATCH v1> 0/9] SD card bug fixes Bao D. Nguyen
2019-12-17 2:50 ` [<PATCH v1> 1/9] mmc: core: Add a cap to use long discard size Bao D. Nguyen
2019-12-17 7:09 ` Ulf Hansson
2019-12-17 2:50 ` [<PATCH v1> 2/9] mmc: core: allow hosts to specify a large " Bao D. Nguyen
2019-12-17 2:50 ` [<PATCH v1> 3/9] mmc: host: Add device_prepare pm for mmc_host Bao D. Nguyen
2019-12-17 2:50 ` [<PATCH v1> 4/9] mmc: core: fix SD card request queue refcount underflow during shutdown Bao D. Nguyen
2019-12-18 8:33 ` Greg KH
2019-12-17 2:50 ` Bao D. Nguyen [this message]
2019-12-17 2:50 ` [<PATCH v1> 6/9] mmc: sdhci-msm: Ignore data timeout error for R1B commands Bao D. Nguyen
2019-12-18 8:34 ` Greg KH
2019-12-17 2:50 ` [<PATCH v1> 7/9] mmc: core: Skip frequency retries for SDCC slots Bao D. Nguyen
2019-12-18 8:34 ` Greg KH
2019-12-18 11:48 ` Ulf Hansson
2019-12-18 12:04 ` Greg Kroah-Hartman
2019-12-18 13:12 ` Ulf Hansson
2019-12-17 2:50 ` [<PATCH v1> 8/9] mmc: core: remove shutdown handler Bao D. Nguyen
2019-12-17 2:50 ` [<PATCH v1> 9/9] mmc: sd: Fix trivial SD card issues Bao D. Nguyen
2019-12-18 8:29 ` Greg KH
2019-12-18 20:16 ` nguyenb
2019-12-18 8:21 ` [<PATCH v1> 0/9] SD card bug fixes Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=6373c3574eb80f2a760f23883196c309dacfa163.1576540908.git.nguyenb@codeaurora.org \
--to=nguyenb@codeaurora.org \
--cc=asutoshd@codeaurora.org \
--cc=cang@codeaurora.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mmc@vger.kernel.org \
--cc=robh+dt@kernel.org \
--cc=sayalil@codeaurora.org \
--cc=ulf.hansson@linaro.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).