* [PATCH 1/2] mmc: v4.14: Fix null pointer dereference in mmc_init_request
@ 2019-05-08 18:58 Raul E Rangel
2019-05-08 18:58 ` [PATCH 2/2] mmc: v4.14: Kill the request if the queuedata has been removed Raul E Rangel
2019-05-09 6:04 ` [PATCH 1/2] mmc: v4.14: Fix null pointer dereference in mmc_init_request Christoph Hellwig
0 siblings, 2 replies; 5+ messages in thread
From: Raul E Rangel @ 2019-05-08 18:58 UTC (permalink / raw)
To: linux-mmc
Cc: djkurtz, adrian.hunter, zwisler, Raul E Rangel, linux-kernel,
Ulf Hansson
It is possible for queuedata to be cleared in mmc_cleanup_queue before
the request has been started. This will result in dereferencing a null
pointer.
Signed-off-by: Raul E Rangel <rrangel@chromium.org>
---
I think we should cherry-pick 41e3efd07d5a02c80f503e29d755aa1bbb4245de
https://lore.kernel.org/patchwork/patch/856512/ into 4.14. It fixes a
potential resource leak when shutting down the request queue. Once this
patch is applied, there is a potential for a null pointer dereference.
That's what this patch fixes. The next patch is just an optimization to
stop processing earlier.
See https://patchwork.kernel.org/patch/10925469/ for the initial
motivation.
This commit applies to v4.14.116.
This doesn't apply to 5.1 since mmc has been migrated to blk-mq.
Thanks,
Raul
drivers/mmc/core/queue.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/drivers/mmc/core/queue.c b/drivers/mmc/core/queue.c
index 0a4e77a5ba33..4bf1a9c6440b 100644
--- a/drivers/mmc/core/queue.c
+++ b/drivers/mmc/core/queue.c
@@ -159,8 +159,14 @@ static int mmc_init_request(struct request_queue *q, struct request *req,
{
struct mmc_queue_req *mq_rq = req_to_mmc_queue_req(req);
struct mmc_queue *mq = q->queuedata;
- struct mmc_card *card = mq->card;
- struct mmc_host *host = card->host;
+ struct mmc_card *card;
+ struct mmc_host *host;
+
+ if (!mq)
+ return -ENODEV;
+
+ card = mq->card;
+ host = card->host;
mq_rq->sg = mmc_alloc_sg(host->max_segs, gfp);
if (!mq_rq->sg)
--
2.21.0.1020.gf2820cf01a-goog
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH 2/2] mmc: v4.14: Kill the request if the queuedata has been removed
2019-05-08 18:58 [PATCH 1/2] mmc: v4.14: Fix null pointer dereference in mmc_init_request Raul E Rangel
@ 2019-05-08 18:58 ` Raul E Rangel
2019-05-09 6:04 ` [PATCH 1/2] mmc: v4.14: Fix null pointer dereference in mmc_init_request Christoph Hellwig
1 sibling, 0 replies; 5+ messages in thread
From: Raul E Rangel @ 2019-05-08 18:58 UTC (permalink / raw)
To: linux-mmc
Cc: djkurtz, adrian.hunter, zwisler, Raul E Rangel, linux-kernel,
Ulf Hansson
No reason to even try processing the request if the queue is shutting
down.
Signed-off-by: Raul E Rangel <rrangel@chromium.org>
---
This commit applies to v4.14.116.
This doesn't apply to 5.1 since mmc has been migrated to blk-mq.
drivers/mmc/core/queue.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/mmc/core/queue.c b/drivers/mmc/core/queue.c
index 4bf1a9c6440b..28c9646a4de9 100644
--- a/drivers/mmc/core/queue.c
+++ b/drivers/mmc/core/queue.c
@@ -30,7 +30,7 @@ static int mmc_prep_request(struct request_queue *q, struct request *req)
{
struct mmc_queue *mq = q->queuedata;
- if (mq && (mmc_card_removed(mq->card) || mmc_access_rpmb(mq)))
+ if (!mq || mmc_card_removed(mq->card) || mmc_access_rpmb(mq))
return BLKPREP_KILL;
req->rq_flags |= RQF_DONTPREP;
--
2.21.0.1020.gf2820cf01a-goog
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH 1/2] mmc: v4.14: Fix null pointer dereference in mmc_init_request
2019-05-08 18:58 [PATCH 1/2] mmc: v4.14: Fix null pointer dereference in mmc_init_request Raul E Rangel
2019-05-08 18:58 ` [PATCH 2/2] mmc: v4.14: Kill the request if the queuedata has been removed Raul E Rangel
@ 2019-05-09 6:04 ` Christoph Hellwig
2019-05-09 18:42 ` Raul Rangel
1 sibling, 1 reply; 5+ messages in thread
From: Christoph Hellwig @ 2019-05-09 6:04 UTC (permalink / raw)
To: Raul E Rangel
Cc: linux-mmc, djkurtz, adrian.hunter, zwisler, linux-kernel, Ulf Hansson
On Wed, May 08, 2019 at 12:58:32PM -0600, Raul E Rangel wrote:
> It is possible for queuedata to be cleared in mmc_cleanup_queue before
> the request has been started.
Errm. I think we need to fix that problem instead of working around it.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH 1/2] mmc: v4.14: Fix null pointer dereference in mmc_init_request
2019-05-09 6:04 ` [PATCH 1/2] mmc: v4.14: Fix null pointer dereference in mmc_init_request Christoph Hellwig
@ 2019-05-09 18:42 ` Raul Rangel
2019-05-13 17:19 ` Raul Rangel
0 siblings, 1 reply; 5+ messages in thread
From: Raul Rangel @ 2019-05-09 18:42 UTC (permalink / raw)
To: Christoph Hellwig
Cc: linux-mmc, djkurtz, adrian.hunter, zwisler, linux-kernel, Ulf Hansson
On Wed, May 08, 2019 at 11:04:56PM -0700, Christoph Hellwig wrote:
> On Wed, May 08, 2019 at 12:58:32PM -0600, Raul E Rangel wrote:
> > It is possible for queuedata to be cleared in mmc_cleanup_queue before
> > the request has been started.
>
> Errm. I think we need to fix that problem instead of working around it.
So mmc_request_fn already has a null check, it was just missing on
mmc_init_request.
I could move `blk_cleanup_queue(q)` above `q->queuedata = NULL` and the
lock. So that would mean cherry-picking
https://lore.kernel.org/patchwork/patch/856512/ and then a patch with
moving blk_cleanup_queue.
Should I do that instead?
Thanks,
Raul
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH 1/2] mmc: v4.14: Fix null pointer dereference in mmc_init_request
2019-05-09 18:42 ` Raul Rangel
@ 2019-05-13 17:19 ` Raul Rangel
0 siblings, 0 replies; 5+ messages in thread
From: Raul Rangel @ 2019-05-13 17:19 UTC (permalink / raw)
To: Christoph Hellwig
Cc: linux-mmc, djkurtz, adrian.hunter, zwisler, linux-kernel, Ulf Hansson
> > Errm. I think we need to fix that problem instead of working around it.
> So mmc_request_fn already has a null check, it was just missing on
> mmc_init_request.
>
So I got 189650 random connect/disconnect iterations over the weekend
with these patches. I think they are fine. I'm going to send them to
stable@ unless anyone has any objections.
Thanks,
Raul
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2019-05-13 17:19 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-05-08 18:58 [PATCH 1/2] mmc: v4.14: Fix null pointer dereference in mmc_init_request Raul E Rangel
2019-05-08 18:58 ` [PATCH 2/2] mmc: v4.14: Kill the request if the queuedata has been removed Raul E Rangel
2019-05-09 6:04 ` [PATCH 1/2] mmc: v4.14: Fix null pointer dereference in mmc_init_request Christoph Hellwig
2019-05-09 18:42 ` Raul Rangel
2019-05-13 17:19 ` Raul Rangel
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).