[PATCH FIX+RESEND 1/7] mmc: omap: Fix NULL pointer dereference due uninitialized cover_tasklet

linux-mmc.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Jarkko Nikula <jarkko.nikula@bitmer.com>
To: linux-mmc@vger.kernel.org
Cc: Chris Ball <cjb@laptop.org>,
	aaro.koskinen@iki.fi, Jarkko Nikula <jarkko.nikula@bitmer.com>
Subject: [PATCH FIX+RESEND 1/7] mmc: omap: Fix NULL pointer dereference due uninitialized cover_tasklet
Date: Sun,  6 Oct 2013 20:36:12 +0300	[thread overview]
Message-ID: <1381080978-29127-1-git-send-email-jarkko.nikula@bitmer.com> (raw)

Omap MMC driver initialization can cause a NULL pointer dereference in
tasklet_hi_action on Nokia N810 if its miniSD cover is open during driver
initialization.

Reason for this is that omap_notify_cover_event which calls
tasklet_hi_schedule gets called before struct cover_tasklet is initialized.

Call to omap_notify_cover_event on Nokia N810 happens from menelaus.c PMIC
driver via board-n8x0.c during execution of mmc_add_host in case of open
miniSD cover.

Fix this by moving cover_timer and cover_tasklet initialization before
mmc_add_host call in mmc_omap_new_slot.

Signed-off-by: Jarkko Nikula <jarkko.nikula@bitmer.com>
---
 drivers/mmc/host/omap.c | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/drivers/mmc/host/omap.c b/drivers/mmc/host/omap.c
index b94f38e..31f33ac 100644
--- a/drivers/mmc/host/omap.c
+++ b/drivers/mmc/host/omap.c
@@ -1273,6 +1273,13 @@ static int mmc_omap_new_slot(struct mmc_omap_host *host, int id)
 	mmc->max_req_size = mmc->max_blk_size * mmc->max_blk_count;
 	mmc->max_seg_size = mmc->max_req_size;
 
+	if (slot->pdata->get_cover_state != NULL) {
+		setup_timer(&slot->cover_timer, mmc_omap_cover_timer,
+			    (unsigned long)slot);
+		tasklet_init(&slot->cover_tasklet, mmc_omap_cover_handler,
+			     (unsigned long)slot);
+	}
+
 	r = mmc_add_host(mmc);
 	if (r < 0)
 		goto err_remove_host;
@@ -1289,11 +1296,6 @@ static int mmc_omap_new_slot(struct mmc_omap_host *host, int id)
 					&dev_attr_cover_switch);
 		if (r < 0)
 			goto err_remove_slot_name;
-
-		setup_timer(&slot->cover_timer, mmc_omap_cover_timer,
-			    (unsigned long)slot);
-		tasklet_init(&slot->cover_tasklet, mmc_omap_cover_handler,
-			     (unsigned long)slot);
 		tasklet_schedule(&slot->cover_tasklet);
 	}
 
-- 
1.8.4.rc3

next             reply	other threads:[~2013-10-06 17:38 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-10-06 17:36 Jarkko Nikula [this message]
2013-10-06 17:36 ` [PATCH FIX+RESEND 2/7] mmc: omap: Convert to devm_kzalloc Jarkko Nikula
2013-10-06 17:36 ` [PATCH FIX+RESEND 3/7] mmc: omap: Remove duplicate host->irq assignment Jarkko Nikula
2013-10-06 17:36 ` [PATCH FIX+RESEND 4/7] mmc: omap: Remove mem_res field from struct mmc_omap_host Jarkko Nikula
2013-10-06 17:36 ` [PATCH FIX+RESEND 5/7] mmc: omap: Convert to devm_ioremap_resource Jarkko Nikula
2013-10-06 17:36 ` [PATCH FIX+RESEND 6/7] mmc: omap: Remove always set use_dma flag from struct mmc_omap_host Jarkko Nikula
2013-10-06 17:36 ` [PATCH FIX+RESEND 7/7] mmc: omap: Get DMA request numbers via platform resource Jarkko Nikula
2013-10-26 14:55 ` [PATCH] mmc: omap: Add erase capability Jarkko Nikula
2013-11-16 15:53 ` [RESEND 1/8] mmc: omap: Fix NULL pointer dereference due uninitialized cover_tasklet Jarkko Nikula
2013-11-16 15:53   ` [RESEND 2/8] mmc: omap: Convert to devm_kzalloc Jarkko Nikula
2013-11-16 15:53   ` [RESEND 3/8] mmc: omap: Remove duplicate host->irq assignment Jarkko Nikula
2013-11-16 15:53   ` [RESEND 4/8] mmc: omap: Remove mem_res field from struct mmc_omap_host Jarkko Nikula
2013-11-16 15:53   ` [RESEND 5/8] mmc: omap: Convert to devm_ioremap_resource Jarkko Nikula
2013-11-16 15:53   ` [RESEND 6/8] mmc: omap: Remove always set use_dma flag from struct mmc_omap_host Jarkko Nikula
2013-11-16 15:53   ` [RESEND 7/8] mmc: omap: Get DMA request numbers via platform resource Jarkko Nikula
2013-11-16 15:53   ` [RESEND 8/8] mmc: omap: Add erase capability Jarkko Nikula

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:b94f38e dfblob:31f33ac )
 OR (
bs:"[PATCH FIX+RESEND 1/7] mmc: omap: Fix NULL pointer dereference due uninitialized cover_tasklet" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1381080978-29127-1-git-send-email-jarkko.nikula@bitmer.com \
    --to=jarkko.nikula@bitmer.com \
    --cc=aaro.koskinen@iki.fi \
    --cc=cjb@laptop.org \
    --cc=linux-mmc@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).