diff options
| author | Sujit Reddy Thumma <sthumma@codeaurora.org> | 2014-12-09 20:40:16 +0200 |
|---|---|---|
| committer | Subhash Jadavani <subhashj@codeaurora.org> | 2016-05-31 15:25:59 -0700 |
| commit | 248d1fcebed5f136804f86cff4501ed0461e84ee (patch) | |
| tree | 9f35b618d551e32e3d2f92ab3e34254cc2c49811 | |
| parent | c250bf69fda3120c4b47e41aa61cbad349b7df7a (diff) | |
mmc: core: Fix null pointer dereference due to race conditions
Fix race condition between mmcqd thread and the mmc_queue_suspend
updating a shared variable mq->flags, which can lead to potential
null pointer dereference as following-
Unable to handle kernel NULL pointer dereference at
virtual address 00000020
pgd = c0004000
[00000020] *pgd=00000000
mmcqd/0: 186] Internal error: Oops: 5 [#1] PREEMPT SMP ARM
CPU: 0 Tainted: G W (3.4.0-1251694-eng #1)
PC is at mmc_blk_err_check+0x20c/0x3b8
LR is at mmc_start_req+0x198/0x718
cpu0 | cpu1
x |= 1 | x |= 2
final value of x can be x = 1 or x = 2
Change-Id: Ie0fff6d6dba5aebb3584cba9fb98de24515c4cd8
Signed-off-by: Sujit Reddy Thumma <sthumma@codeaurora.org>
[merez@codeaurora.org: fix conflicts due to missing stop transmission
and changes in new request implementation in 3.14]
Signed-off-by: Maya Erez <merez@codeaurora.org>
[venkatg@codeaurora.org: Fix conflicts due to changes in 3.14 kernel]
Signed-off-by: Venkat Gopalakrishnan <venkatg@codeaurora.org>
[subhashj@codeaurora.org: fixed trivial merge conflicts]
Signed-off-by: Subhash Jadavani <subhashj@codeaurora.org>
| -rw-r--r-- | drivers/mmc/card/block.c | 7 | ||||
| -rw-r--r-- | drivers/mmc/card/queue.c | 14 | ||||
| -rw-r--r-- | drivers/mmc/card/queue.h | 6 |
3 files changed, 13 insertions, 14 deletions
diff --git a/drivers/mmc/card/block.c b/drivers/mmc/card/block.c index 32b413b61cda..56cb49d8d256 100644 --- a/drivers/mmc/card/block.c +++ b/drivers/mmc/card/block.c @@ -30,6 +30,7 @@ #include <linux/blkdev.h> #include <linux/mutex.h> #include <linux/scatterlist.h> +#include <linux/bitops.h> #include <linux/string_helpers.h> #include <linux/delay.h> #include <linux/capability.h> @@ -2510,7 +2511,7 @@ static int mmc_blk_issue_rw_rq(struct mmc_queue *mq, struct request *rqc) areq = mmc_start_req(card->host, areq, (int *) &status); if (!areq) { if (status == MMC_BLK_NEW_REQUEST) - mq->flags |= MMC_QUEUE_NEW_REQUEST; + set_bit(MMC_QUEUE_NEW_REQUEST, &mq->flags); return 0; } @@ -2679,7 +2680,7 @@ static int mmc_blk_issue_rq(struct mmc_queue *mq, struct request *req) mmc_blk_write_packing_control(mq, req); - mq->flags &= ~MMC_QUEUE_NEW_REQUEST; + clear_bit(MMC_QUEUE_NEW_REQUEST, &mq->flags); if (cmd_flags & REQ_DISCARD) { /* complete ongoing async transfer before issuing discard */ if (card->host->areq) @@ -2703,7 +2704,7 @@ static int mmc_blk_issue_rq(struct mmc_queue *mq, struct request *req) } out: - if ((!req && !(mq->flags & MMC_QUEUE_NEW_REQUEST)) || + if ((!req && !(test_bit(MMC_QUEUE_NEW_REQUEST, &mq->flags))) || (cmd_flags & MMC_REQ_SPECIAL_MASK)) /* * Release host when there are no more requests diff --git a/drivers/mmc/card/queue.c b/drivers/mmc/card/queue.c index 904872e3fad2..695b0ef06b39 100644 --- a/drivers/mmc/card/queue.c +++ b/drivers/mmc/card/queue.c @@ -16,6 +16,7 @@ #include <linux/kthread.h> #include <linux/scatterlist.h> #include <linux/dma-mapping.h> +#include <linux/bitops.h> #include <linux/mmc/card.h> #include <linux/mmc/host.h> @@ -82,8 +83,8 @@ static int mmc_queue_thread(void *d) cmd_flags = req ? req->cmd_flags : 0; mq->issue_fn(mq, req); cond_resched(); - if (mq->flags & MMC_QUEUE_NEW_REQUEST) { - mq->flags &= ~MMC_QUEUE_NEW_REQUEST; + if (test_bit(MMC_QUEUE_NEW_REQUEST, &mq->flags)) { + clear_bit(MMC_QUEUE_NEW_REQUEST, &mq->flags); continue; /* fetch again */ } @@ -454,9 +455,7 @@ int mmc_queue_suspend(struct mmc_queue *mq, int wait) unsigned long flags; int rc = 0; - if (!(mq->flags & MMC_QUEUE_SUSPENDED)) { - mq->flags |= MMC_QUEUE_SUSPENDED; - + if (!(test_and_set_bit(MMC_QUEUE_SUSPENDED, &mq->flags))) { spin_lock_irqsave(q->queue_lock, flags); blk_stop_queue(q); spin_unlock_irqrestore(q->queue_lock, flags); @@ -467,7 +466,7 @@ int mmc_queue_suspend(struct mmc_queue *mq, int wait) * Failed to take the lock so better to abort the * suspend because mmcqd thread is processing requests. */ - mq->flags &= ~MMC_QUEUE_SUSPENDED; + clear_bit(MMC_QUEUE_SUSPENDED, &mq->flags); spin_lock_irqsave(q->queue_lock, flags); blk_start_queue(q); spin_unlock_irqrestore(q->queue_lock, flags); @@ -489,8 +488,7 @@ void mmc_queue_resume(struct mmc_queue *mq) struct request_queue *q = mq->queue; unsigned long flags; - if (mq->flags & MMC_QUEUE_SUSPENDED) { - mq->flags &= ~MMC_QUEUE_SUSPENDED; + if (test_and_clear_bit(MMC_QUEUE_SUSPENDED, &mq->flags)) { up(&mq->thread_sem); diff --git a/drivers/mmc/card/queue.h b/drivers/mmc/card/queue.h index 2e23b6d849ae..bcb6827c0960 100644 --- a/drivers/mmc/card/queue.h +++ b/drivers/mmc/card/queue.h @@ -48,9 +48,9 @@ struct mmc_queue { struct mmc_card *card; struct task_struct *thread; struct semaphore thread_sem; - unsigned int flags; -#define MMC_QUEUE_SUSPENDED (1 << 0) -#define MMC_QUEUE_NEW_REQUEST (1 << 1) + unsigned long flags; +#define MMC_QUEUE_SUSPENDED 0 +#define MMC_QUEUE_NEW_REQUEST 1 int (*issue_fn)(struct mmc_queue *, struct request *); void *data; |