mmc: core: Fix null pointer dereference due to race conditions
Fix race condition between mmcqd thread and the mmc_queue_suspend updating a shared variable mq->flags, which can lead to potential null pointer dereference as following- Unable to handle kernel NULL pointer dereference at virtual address 00000020 pgd = c0004000 [00000020] *pgd=00000000 mmcqd/0: 186] Internal error: Oops: 5 [#1] PREEMPT SMP ARM CPU: 0 Tainted: G W (3.4.0-1251694-eng #1) PC is at mmc_blk_err_check+0x20c/0x3b8 LR is at mmc_start_req+0x198/0x718 cpu0 | cpu1 x |= 1 | x |= 2 final value of x can be x = 1 or x = 2 Change-Id: Ie0fff6d6dba5aebb3584cba9fb98de24515c4cd8 Signed-off-by: Sujit Reddy Thumma <sthumma@codeaurora.org> [merez@codeaurora.org: fix conflicts due to missing stop transmission and changes in new request implementation in 3.14] Signed-off-by: Maya Erez <merez@codeaurora.org> [venkatg@codeaurora.org: Fix conflicts due to changes in 3.14 kernel] Signed-off-by: Venkat Gopalakrishnan <venkatg@codeaurora.org> [subhashj@codeaurora.org: fixed trivial merge conflicts] Signed-off-by: Subhash Jadavani <subhashj@codeaurora.org>
This commit is contained in:
Sujit Reddy Thumma
Subhash Jadavani
parent
c250bf69fd
commit
248d1fcebe
3 changed files with 13 additions and 14 deletions
|
|
@ -30,6 +30,7 @@
|
|||
#include <linux/blkdev.h>
|
||||
#include <linux/mutex.h>
|
||||
#include <linux/scatterlist.h>
|
||||
#include <linux/bitops.h>
|
||||
#include <linux/string_helpers.h>
|
||||
#include <linux/delay.h>
|
||||
#include <linux/capability.h>
|
||||
|
|
@ -2510,7 +2511,7 @@ static int mmc_blk_issue_rw_rq(struct mmc_queue *mq, struct request *rqc)
|
|||
areq = mmc_start_req(card->host, areq, (int *) &status);
|
||||
if (!areq) {
|
||||
if (status == MMC_BLK_NEW_REQUEST)
|
||||
mq->flags |= MMC_QUEUE_NEW_REQUEST;
|
||||
set_bit(MMC_QUEUE_NEW_REQUEST, &mq->flags);
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
|
@ -2679,7 +2680,7 @@ static int mmc_blk_issue_rq(struct mmc_queue *mq, struct request *req)
|
|||
|
||||
mmc_blk_write_packing_control(mq, req);
|
||||
|
||||
mq->flags &= ~MMC_QUEUE_NEW_REQUEST;
|
||||
clear_bit(MMC_QUEUE_NEW_REQUEST, &mq->flags);
|
||||
if (cmd_flags & REQ_DISCARD) {
|
||||
/* complete ongoing async transfer before issuing discard */
|
||||
if (card->host->areq)
|
||||
|
|
@ -2703,7 +2704,7 @@ static int mmc_blk_issue_rq(struct mmc_queue *mq, struct request *req)
|
|||
}
|
||||
|
||||
out:
|
||||
if ((!req && !(mq->flags & MMC_QUEUE_NEW_REQUEST)) ||
|
||||
if ((!req && !(test_bit(MMC_QUEUE_NEW_REQUEST, &mq->flags))) ||
|
||||
(cmd_flags & MMC_REQ_SPECIAL_MASK))
|
||||
/*
|
||||
* Release host when there are no more requests
|
||||
|
|
|
|||
|
|
@ -16,6 +16,7 @@
|
|||
#include <linux/kthread.h>
|
||||
#include <linux/scatterlist.h>
|
||||
#include <linux/dma-mapping.h>
|
||||
#include <linux/bitops.h>
|
||||
|
||||
#include <linux/mmc/card.h>
|
||||
#include <linux/mmc/host.h>
|
||||
|
|
@ -82,8 +83,8 @@ static int mmc_queue_thread(void *d)
|
|||
cmd_flags = req ? req->cmd_flags : 0;
|
||||
mq->issue_fn(mq, req);
|
||||
cond_resched();
|
||||
if (mq->flags & MMC_QUEUE_NEW_REQUEST) {
|
||||
mq->flags &= ~MMC_QUEUE_NEW_REQUEST;
|
||||
if (test_bit(MMC_QUEUE_NEW_REQUEST, &mq->flags)) {
|
||||
clear_bit(MMC_QUEUE_NEW_REQUEST, &mq->flags);
|
||||
continue; /* fetch again */
|
||||
}
|
||||
|
||||
|
|
@ -454,9 +455,7 @@ int mmc_queue_suspend(struct mmc_queue *mq, int wait)
|
|||
unsigned long flags;
|
||||
int rc = 0;
|
||||
|
||||
if (!(mq->flags & MMC_QUEUE_SUSPENDED)) {
|
||||
mq->flags |= MMC_QUEUE_SUSPENDED;
|
||||
|
||||
if (!(test_and_set_bit(MMC_QUEUE_SUSPENDED, &mq->flags))) {
|
||||
spin_lock_irqsave(q->queue_lock, flags);
|
||||
blk_stop_queue(q);
|
||||
spin_unlock_irqrestore(q->queue_lock, flags);
|
||||
|
|
@ -467,7 +466,7 @@ int mmc_queue_suspend(struct mmc_queue *mq, int wait)
|
|||
* Failed to take the lock so better to abort the
|
||||
* suspend because mmcqd thread is processing requests.
|
||||
*/
|
||||
mq->flags &= ~MMC_QUEUE_SUSPENDED;
|
||||
clear_bit(MMC_QUEUE_SUSPENDED, &mq->flags);
|
||||
spin_lock_irqsave(q->queue_lock, flags);
|
||||
blk_start_queue(q);
|
||||
spin_unlock_irqrestore(q->queue_lock, flags);
|
||||
|
|
@ -489,8 +488,7 @@ void mmc_queue_resume(struct mmc_queue *mq)
|
|||
struct request_queue *q = mq->queue;
|
||||
unsigned long flags;
|
||||
|
||||
if (mq->flags & MMC_QUEUE_SUSPENDED) {
|
||||
mq->flags &= ~MMC_QUEUE_SUSPENDED;
|
||||
if (test_and_clear_bit(MMC_QUEUE_SUSPENDED, &mq->flags)) {
|
||||
|
||||
up(&mq->thread_sem);
|
||||
|
||||
|
|
|
|||
|
|
@ -48,9 +48,9 @@ struct mmc_queue {
|
|||
struct mmc_card *card;
|
||||
struct task_struct *thread;
|
||||
struct semaphore thread_sem;
|
||||
unsigned int flags;
|
||||
#define MMC_QUEUE_SUSPENDED (1 << 0)
|
||||
#define MMC_QUEUE_NEW_REQUEST (1 << 1)
|
||||
unsigned long flags;
|
||||
#define MMC_QUEUE_SUSPENDED 0
|
||||
#define MMC_QUEUE_NEW_REQUEST 1
|
||||
|
||||
int (*issue_fn)(struct mmc_queue *, struct request *);
|
||||
void *data;
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue