Re: [PATCH] mmc: fix null pointer use in mmc_blk_remove_req

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Adrian Hunter <adrian.hunter@intel.com>
To: linux-stable@vger.kernel.org
Cc: Chris Ball <cjb@laptop.org>,
	franck.jullien@gmail.com, linux-mmc@vger.kernel.org
Subject: Re: [PATCH] mmc: fix null pointer use in mmc_blk_remove_req
Date: Mon, 07 Oct 2013 11:48:00 +0300	[thread overview]
Message-ID: <52527540.501@intel.com> (raw)
In-Reply-To: <87d2p2sbcp.fsf@octavius.laptop.org>

On 25/08/13 06:22, Chris Ball wrote:
> Hi Franck,
> 
> On Wed, Jul 24 2013, franck.jullien@gmail.com wrote:
>> From: Franck Jullien <franck.jullien@gmail.com>
>>
>> A previous commit (fdfa20c1631210d0) reordered the
>> shutdown sequence in mmc_blk_remove_req. However,
>> mmc_cleanup_queue is now called before we get the
>> card pointer and, sadly, mmc_cleanup_queue set
>> mq->card to NULL.
>>
>> This patch moves the card pointer assignment before
>> mmc_cleanup_queue.
>>
>> Signed-off-by: Franck Jullien <franck.jullien@gmail.com>
>> ---
>>  drivers/mmc/card/block.c |    2 +-
>>  1 files changed, 1 insertions(+), 1 deletions(-)
>>
>> diff --git a/drivers/mmc/card/block.c b/drivers/mmc/card/block.c
>> index cd0b7f4..f4a0bea 100644
>> --- a/drivers/mmc/card/block.c
>> +++ b/drivers/mmc/card/block.c
>> @@ -2191,10 +2191,10 @@ static void mmc_blk_remove_req(struct mmc_blk_data *md)
>>  		 * is freeing the queue that stops new requests
>>  		 * from being accepted.
>>  		 */
>> +		card = md->queue.card;
>>  		mmc_cleanup_queue(&md->queue);
>>  		if (md->flags & MMC_BLK_PACKED_CMD)
>>  			mmc_packed_clean(&md->queue);
>> -		card = md->queue.card;
>>  		if (md->disk->flags & GENHD_FL_UP) {
>>  			device_remove_file(disk_to_dev(md->disk), &md->force_ro);
>>  			if ((md->area_type & MMC_BLK_DATA_AREA_BOOT) &&
> 
> Thanks for the patch, pushed to mmc-next for 3.12.

Hi

The regression is in 3.11, and causes an oops (see below)
Adding linux-stable

The fix is now in linus' tree with commit id:

	8efb83a2f8518a6ffcc074177f8d659c5165ef37

Please cherry-pick this for 3.11


[  107.814928] BUG: unable to handle kernel NULL pointer dereference at 0000000000000398
[  107.823706] IP: [<ffffffffa000d201>] mmc_blk_remove_req+0x56/0x8b [mmc_block]
[  107.831709] PGD 134323067 PUD 1343c2067 PMD 0 
[  107.836703] Oops: 0000 [#1] PREEMPT SMP 
[  107.841098] Modules linked in: sdhci_acpi(-) mmc_block sdhci
[  107.847468] CPU: 1 PID: 133 Comm: rmmod Not tainted 3.11.3+ #15
[  107.854090] task: ffff8801341dc440 ti: ffff88013426c000 task.ti: ffff88013426c000
[  107.862456] RIP: 0010:[<ffffffffa000d201>]  [<ffffffffa000d201>] mmc_blk_remove_req+0x56/0x8b [mmc_block]
[  107.873172] RSP: 0018:ffff88013426dbe8  EFLAGS: 00010202
[  107.879111] RAX: ffff8801341e63a8 RBX: ffff8801341e6000 RCX: 00000000000160a0
[  107.887088] RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000023
[  107.895058] RBP: ffff88013426dbf8 R08: ffff88013b443180 R09: ffff88013426dfd8
[  107.903035] R10: 000000000000273c R11: ffff880134330e00 R12: 0000000000000000
[  107.911005] R13: ffff8801341e5000 R14: ffffffffa001c098 R15: 0000000000000000
[  107.918985] FS:  00007f9bab888700(0000) GS:ffff88013fc80000(0000) knlGS:0000000000000000
[  107.928031] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[  107.934455] CR2: 0000000000000398 CR3: 0000000134263000 CR4: 00000000001007e0
[  107.942422] Stack:
[  107.944669]  ffff8801341e5ba8 ffff8801341e53a8 ffff88013426dc18 ffffffffa000dbfa
[  107.952965]  ffff8801341e4800 ffff8801341e4808 ffff88013426dc48 ffffffffa000fca0
[  107.961260]  000000000000bbc9 ffff8801341e4808 ffffffffa0012010 ffffffff81a82210
[  107.969556] Call Trace:
[  107.972307]  [<ffffffffa000dbfa>] mmc_blk_remove_parts.isra.16+0x5c/0x6c [mmc_block]
[  107.980980]  [<ffffffffa000fca0>] mmc_blk_remove+0x25/0xa9 [mmc_block]
[  107.988289]  [<ffffffff8140dd6c>] mmc_bus_remove+0x15/0x19
[  107.994432]  [<ffffffff812f14a8>] __device_release_driver+0x86/0xdc
[  108.001448]  [<ffffffff812f175d>] device_release_driver+0x1e/0x2b
[  108.008269]  [<ffffffff812f10bc>] bus_remove_device+0xe5/0xfa
[  108.014701]  [<ffffffff812eeb96>] device_del+0x12c/0x186
[  108.020646]  [<ffffffff8140e2cc>] mmc_remove_card+0x66/0x76
[  108.026884]  [<ffffffff8140ec55>] mmc_remove+0x23/0x32
[  108.032636]  [<ffffffff8140dbb2>] mmc_stop_host+0x58/0x9f
[  108.038678]  [<ffffffff8140e301>] mmc_remove_host+0x1d/0x3e
[  108.044923]  [<ffffffffa0001d76>] sdhci_remove_host+0x94/0x122 [sdhci]
[  108.052235]  [<ffffffffa001a145>] sdhci_acpi_remove+0x79/0x8b [sdhci_acpi]
[  108.059932]  [<ffffffff812f2e50>] platform_drv_remove+0x1a/0x3e
[  108.066559]  [<ffffffff812f14a8>] __device_release_driver+0x86/0xdc
[  108.073574]  [<ffffffff812f1c9f>] driver_detach+0x81/0xb2
[  108.079611]  [<ffffffff812f1357>] bus_remove_driver+0x6f/0xb4
[  108.086045]  [<ffffffffa001a568>] ? sdhci_acpi_probe+0x411/0x411 [sdhci_acpi]
[  108.094031]  [<ffffffff812f20a3>] driver_unregister+0x4e/0x73
[  108.100464]  [<ffffffff812f2d26>] platform_driver_unregister+0xd/0xf
[  108.107578]  [<ffffffffa001a578>] sdhci_acpi_driver_exit+0x10/0xa98 [sdhci_acpi]
[  108.115859]  [<ffffffff8107eac3>] SyS_delete_module+0x1b6/0x244
[  108.122488]  [<ffffffff8102c638>] ? do_page_fault+0x9/0xd
[  108.128535]  [<ffffffff815cd052>] system_call_fastpath+0x16/0x1b
[  108.135250] Code: 00 48 8b 7b 08 4c 8b 63 10 f6 87 60 03 00 00 10 74 41 48 8d b3 d8 03 00 00 48 83 c7 70 e8 26 10 2e e1 f6 83 18 04 00 00 02 74 1f <41> 80 bc 24 98 03 00 00 00 74 14 48 8b 7b 08 48 8d b3 f8 03 00 
[  108.156804] RIP  [<ffffffffa000d201>] mmc_blk_remove_req+0x56/0x8b [mmc_block]
[  108.164895]  RSP <ffff88013426dbe8>
[  108.168794] CR2: 0000000000000398
[  108.174595] ---[ end trace b9c7313fc09b25d8 ]---

next prev parent reply	other threads:[~2013-10-07  8:49 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-07-24 13:17 [PATCH] mmc: fix null pointer use in mmc_blk_remove_req franck.jullien
2013-07-25  7:20 ` Franck Jullien
2013-08-25  3:22 ` Chris Ball
2013-10-07  8:48   ` Adrian Hunter [this message]
2013-10-07  8:50   ` Adrian Hunter
2013-10-07  8:54   ` Adrian Hunter
2013-10-10 23:18     ` Greg KH

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=52527540.501@intel.com \
    --to=adrian.hunter@intel.com \
    --cc=cjb@laptop.org \
    --cc=franck.jullien@gmail.com \
    --cc=linux-mmc@vger.kernel.org \
    --cc=linux-stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.