Gitiles
Code Review Sign In
gerrit-public.fairphone.software / kernel / msm-4.9 / 55291992d03958150a4faa3c9167019e92d7f098^! / . / drivers / mmc / card / block.c
commit55291992d03958150a4faa3c9167019e92d7f098[log] [tgz]
authorSujit Reddy Thumma <sthumma@codeaurora.org>Tue Dec 09 20:40:16 2014 +0200
committerXiaonian Wang <xiaonian@codeaurora.org>Fri Apr 07 17:26:29 2017 -0700
tree5965d4932703f946d2d70d290bdec336a4428e97
parent943f51b77d4301c01d1a1c7cc376ec2aef3add91 [diff] [blame]
mmc: core: Fix null pointer dereference due to race conditions

Fix race condition between mmcqd thread and the mmc_queue_suspend
updating a shared variable mq->flags, which can lead to potential
null pointer dereference as following-

Unable to handle kernel NULL pointer dereference at
virtual address 00000020
pgd = c0004000
[00000020] *pgd=00000000
mmcqd/0:  186] Internal error: Oops: 5 [#1] PREEMPT SMP ARM
CPU: 0    Tainted: G        W     (3.4.0-1251694-eng #1)
PC is at mmc_blk_err_check+0x20c/0x3b8
LR is at mmc_start_req+0x198/0x718

cpu0		|	cpu1
x |= 1		|	x |= 2

final value of x can be x = 1 or x = 2

Change-Id: Ie0fff6d6dba5aebb3584cba9fb98de24515c4cd8
Signed-off-by: Sujit Reddy Thumma <sthumma@codeaurora.org>
[merez@codeaurora.org: fix conflicts due to missing stop transmission
and changes in new request implementation in 3.14]
Signed-off-by: Maya Erez <merez@codeaurora.org>
[venkatg@codeaurora.org: Fix conflicts due to changes in 3.14 kernel]
Signed-off-by: Venkat Gopalakrishnan <venkatg@codeaurora.org>
[subhashj@codeaurora.org: fixed trivial merge conflicts]
Signed-off-by: Subhash Jadavani <subhashj@codeaurora.org>
[xiaonian@codeaurora.org: fixed trivial merge conflicts]
Signed-off-by: Xiaonian Wang <xiaonian@codeaurora.org>

diff --git a/drivers/mmc/card/block.c b/drivers/mmc/card/block.c
index afe1e83..2b56910 100644
--- a/drivers/mmc/card/block.c
+++ b/drivers/mmc/card/block.c

@@ -30,6 +30,7 @@
 #include <linux/blkdev.h>
 #include <linux/mutex.h>
 #include <linux/scatterlist.h>
+#include <linux/bitops.h>
 #include <linux/string_helpers.h>
 #include <linux/delay.h>
 #include <linux/capability.h>
@@ -2805,7 +2806,7 @@
 		areq = mmc_start_req(card->host, areq, (int *) &status);
 		if (!areq) {
 			if (status == MMC_BLK_NEW_REQUEST)
-				mq->flags |= MMC_QUEUE_NEW_REQUEST;
+				set_bit(MMC_QUEUE_NEW_REQUEST, &mq->flags);
 			return 0;
 		}
 
@@ -2976,7 +2977,7 @@
 
 	mmc_blk_write_packing_control(mq, req);
 
-	mq->flags &= ~MMC_QUEUE_NEW_REQUEST;
+	clear_bit(MMC_QUEUE_NEW_REQUEST, &mq->flags);
 	if (req && req_op(req) == REQ_OP_DISCARD) {
 		/* complete ongoing async transfer before issuing discard */
 		if (card->host->areq)
@@ -3002,7 +3003,8 @@
 	}
 
 out:
-	if ((!req && !(mq->flags & MMC_QUEUE_NEW_REQUEST)) || req_is_special)
+	if ((!req && !(test_bit(MMC_QUEUE_NEW_REQUEST, &mq->flags))) ||
+		req_is_special)
 		/*
 		 * Release host when there are no more requests
 		 * and after special request(discard, flush) is done.