| Message ID | 20190513175521.84955-3-rrangel@chromium.org (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | mmc: Fix a potential resource leak when shutting down request queue. | expand |
On Mon, May 13, 2019 at 11:55:20AM -0600, Raul E Rangel wrote: > It is possible for queuedata to be cleared in mmc_cleanup_queue before > the request has been started. This will result in dereferencing a null > pointer. > > Signed-off-by: Raul E Rangel <rrangel@chromium.org> > --- > > drivers/mmc/core/queue.c | 10 ++++++++-- > 1 file changed, 8 insertions(+), 2 deletions(-) <formletter> This is not the correct way to submit patches for inclusion in the stable kernel tree. Please read: https://www.kernel.org/doc/html/latest/process/stable-kernel-rules.html for how to do this properly. </formletter>
diff --git a/drivers/mmc/core/queue.c b/drivers/mmc/core/queue.c index d99fa4e63033c..bd7d521d5ad9d 100644 --- a/drivers/mmc/core/queue.c +++ b/drivers/mmc/core/queue.c @@ -159,8 +159,14 @@ static int mmc_init_request(struct request_queue *q, struct request *req, { struct mmc_queue_req *mq_rq = req_to_mmc_queue_req(req); struct mmc_queue *mq = q->queuedata; - struct mmc_card *card = mq->card; - struct mmc_host *host = card->host; + struct mmc_card *card; + struct mmc_host *host; + + if (!mq) + return -ENODEV; + + card = mq->card; + host = card->host; mq_rq->sg = mmc_alloc_sg(host->max_segs, gfp); if (!mq_rq->sg)
It is possible for queuedata to be cleared in mmc_cleanup_queue before the request has been started. This will result in dereferencing a null pointer. Signed-off-by: Raul E Rangel <rrangel@chromium.org> --- drivers/mmc/core/queue.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-)