Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 95b3a8d4 authored by Sujit Reddy Thumma's avatar Sujit Reddy Thumma Committed by Matt Wagantall
Browse files

mmc: core: Fix null pointer dereference due to race conditions 



Fix race condition between mmcqd thread and the mmc_queue_suspend
updating a shared variable mq->flags, which can lead to potential
null pointer dereference as following-

Unable to handle kernel NULL pointer dereference at
virtual address 00000020
pgd = c0004000
[00000020] *pgd=00000000
mmcqd/0:  186] Internal error: Oops: 5 [#1] PREEMPT SMP ARM
CPU: 0    Tainted: G        W     (3.4.0-1251694-eng #1)
PC is at mmc_blk_err_check+0x20c/0x3b8
LR is at mmc_start_req+0x198/0x718

cpu0		|	cpu1
x |= 1		|	x |= 2

final value of x can be x = 1 or x = 2

Change-Id: Ie0fff6d6dba5aebb3584cba9fb98de24515c4cd8
Signed-off-by: default avatarSujit Reddy Thumma <sthumma@codeaurora.org>
[merez@codeaurora.org: fix conflicts due to missing stop transmission
and changes in new request implementation in 3.14]
Signed-off-by: default avatarMaya Erez <merez@codeaurora.org>
[venkatg@codeaurora.org: Fix conflicts due to changes in 3.14 kernel]
Signed-off-by: default avatarVenkat Gopalakrishnan <venkatg@codeaurora.org>
parent 318f8c9a

drivers/mmc/card/block.c

+4 −3
Original line number Diff line number Diff line
@@ -30,6 +30,7 @@ 
#include <linux/blkdev.h>

#include <linux/mutex.h>

#include <linux/scatterlist.h>

#include <linux/bitops.h>

#include <linux/string_helpers.h>

#include <linux/delay.h>

#include <linux/capability.h>
@@ -2408,7 +2409,7 @@ static int mmc_blk_issue_rw_rq(struct mmc_queue *mq, struct request *rqc) 
		areq = mmc_start_req(card->host, areq, (int *) &status);

		if (!areq) {

			if (status == MMC_BLK_NEW_REQUEST)

				mq->flags |= MMC_QUEUE_NEW_REQUEST;

				set_bit(MMC_QUEUE_NEW_REQUEST, &mq->flags);

			return 0;

		}
@@ -2590,7 +2591,7 @@ static int mmc_blk_issue_rq(struct mmc_queue *mq, struct request *req) 


	mmc_blk_write_packing_control(mq, req);



	mq->flags &= ~MMC_QUEUE_NEW_REQUEST;

	clear_bit(MMC_QUEUE_NEW_REQUEST, &mq->flags);

	if (cmd_flags & REQ_DISCARD) {

		/* complete ongoing async transfer before issuing discard */

		if (card->host->areq)
@@ -2614,7 +2615,7 @@ static int mmc_blk_issue_rq(struct mmc_queue *mq, struct request *req) 
	}



out:

	if ((!req && !(mq->flags & MMC_QUEUE_NEW_REQUEST)) ||

	if ((!req && !(test_bit(MMC_QUEUE_NEW_REQUEST, &mq->flags))) ||

	     (cmd_flags & MMC_REQ_SPECIAL_MASK))

		/*

		 * Release host when there are no more requests

drivers/mmc/card/queue.c

+6 −8
Original line number Diff line number Diff line
@@ -16,6 +16,7 @@ 
#include <linux/kthread.h>

#include <linux/scatterlist.h>

#include <linux/dma-mapping.h>

#include <linux/bitops.h>



#include <linux/mmc/card.h>

#include <linux/mmc/host.h>
@@ -76,8 +77,8 @@ static int mmc_queue_thread(void *d) 
			set_current_state(TASK_RUNNING);

			cmd_flags = req ? req->cmd_flags : 0;

			mq->issue_fn(mq, req);

			if (mq->flags & MMC_QUEUE_NEW_REQUEST) {

				mq->flags &= ~MMC_QUEUE_NEW_REQUEST;

			if (test_bit(MMC_QUEUE_NEW_REQUEST, &mq->flags)) {

				clear_bit(MMC_QUEUE_NEW_REQUEST, &mq->flags);

				continue; /* fetch again */

			}
@@ -448,9 +449,7 @@ int mmc_queue_suspend(struct mmc_queue *mq, int wait) 
	unsigned long flags;

	int rc = 0;



	if (!(mq->flags & MMC_QUEUE_SUSPENDED)) {

		mq->flags |= MMC_QUEUE_SUSPENDED;



	if (!(test_and_set_bit(MMC_QUEUE_SUSPENDED, &mq->flags))) {

		spin_lock_irqsave(q->queue_lock, flags);

		blk_stop_queue(q);

		spin_unlock_irqrestore(q->queue_lock, flags);
@@ -461,7 +460,7 @@ int mmc_queue_suspend(struct mmc_queue *mq, int wait) 
			 * Failed to take the lock so better to abort the

			 * suspend because mmcqd thread is processing requests.

			 */

			mq->flags &= ~MMC_QUEUE_SUSPENDED;

			clear_bit(MMC_QUEUE_SUSPENDED, &mq->flags);

			spin_lock_irqsave(q->queue_lock, flags);

			blk_start_queue(q);

			spin_unlock_irqrestore(q->queue_lock, flags);
@@ -483,8 +482,7 @@ void mmc_queue_resume(struct mmc_queue *mq) 
	struct request_queue *q = mq->queue;

	unsigned long flags;



	if (mq->flags & MMC_QUEUE_SUSPENDED) {

		mq->flags &= ~MMC_QUEUE_SUSPENDED;

	if (test_and_clear_bit(MMC_QUEUE_SUSPENDED, &mq->flags)) {



		up(&mq->thread_sem);

drivers/mmc/card/queue.h

+3 −3
Original line number Diff line number Diff line
@@ -47,9 +47,9 @@ struct mmc_queue { 
	struct mmc_card		*card;

	struct task_struct	*thread;

	struct semaphore	thread_sem;

	unsigned int		flags;

#define MMC_QUEUE_SUSPENDED	(1 << 0)

#define MMC_QUEUE_NEW_REQUEST	(1 << 1)

	unsigned long		flags;

#define MMC_QUEUE_SUSPENDED		0

#define MMC_QUEUE_NEW_REQUEST		1



	int			(*issue_fn)(struct mmc_queue *, struct request *);

	void			*data;