From patchwork Tue Nov  6 16:52:12 2012
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Venkatraman S <svenkatr@ti.com>
X-Patchwork-Id: 1705821
Return-Path: <linux-mmc-owner@vger.kernel.org>
X-Original-To: patchwork-linux-mmc@patchwork.kernel.org
Delivered-To: patchwork-process-083081@patchwork2.kernel.org
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by patchwork2.kernel.org (Postfix) with ESMTP id CB49BDFFEC
	for <patchwork-linux-mmc@patchwork.kernel.org>;
	Tue,  6 Nov 2012 16:52:37 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1751557Ab2KFQwg (ORCPT
	<rfc822;patchwork-linux-mmc@patchwork.kernel.org>);
	Tue, 6 Nov 2012 11:52:36 -0500
Received: from bear.ext.ti.com ([192.94.94.41]:38102 "EHLO bear.ext.ti.com"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1750866Ab2KFQwf (ORCPT <rfc822;linux-mmc@vger.kernel.org>);
	Tue, 6 Nov 2012 11:52:35 -0500
Received: from dlelxv30.itg.ti.com ([172.17.2.17])
	by bear.ext.ti.com (8.13.7/8.13.7) with ESMTP id qA6GqZUl019239;
	Tue, 6 Nov 2012 10:52:35 -0600
Received: from DFLE73.ent.ti.com (dfle73.ent.ti.com [128.247.5.110])
	by dlelxv30.itg.ti.com (8.13.8/8.13.8) with ESMTP id qA6GqZOv010660;
	Tue, 6 Nov 2012 10:52:35 -0600
Received: from dlelxv23.itg.ti.com (172.17.1.198) by dfle73.ent.ti.com
	(128.247.5.110) with Microsoft SMTP Server id 14.1.323.3;
	Tue, 6 Nov 2012 10:52:34 -0600
Received: from legion.dal.design.ti.com (legion.dal.design.ti.com
	[128.247.22.53])	by dlelxv23.itg.ti.com (8.13.8/8.13.8) with ESMTP id
	qA6GqYbE031320;	Tue, 6 Nov 2012 10:52:34 -0600
Received: from localhost (ltuba0393540.apr.dhcp.ti.com [172.24.136.208])	by
	legion.dal.design.ti.com (8.11.7p1+Sun/8.11.7) with ESMTP id
	qA6GqWw09046; Tue, 6 Nov 2012 10:52:33 -0600 (CST)
From: Venkatraman S <svenkatr@ti.com>
To: <cjb@vger.kernel.org>
CC: <linux-mmc@vger.kernel.org>, <linux-omap@vger.kernel.org>,
	Venkatraman S <svenkatr@ti.com>, <stable@vger.kernel.org>
Subject: [PATCH 1/5] mmc: omap_hsmmc: Avoid host->cmd dereference during
	data transfer failures
Date: Tue, 6 Nov 2012 22:22:12 +0530
Message-ID: <1352220737-14071-2-git-send-email-svenkatr@ti.com>
X-Mailer: git-send-email 1.8.0
In-Reply-To: <1352220737-14071-1-git-send-email-svenkatr@ti.com>
References: <1352220737-14071-1-git-send-email-svenkatr@ti.com>
MIME-Version: 1.0
Sender: linux-mmc-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-mmc.vger.kernel.org>
X-Mailing-List: linux-mmc@vger.kernel.org

Sometimes, a error occurs just after the Command has been reported
to be successful (CC=1) but before data transfer completes (TC=1).
Setting end_cmd=1 here leads to a NULL pointer dereference of
host->cmd as the command complete has previously been handled.

Set end_cmd only when command complete has not been handled
before, else a NULL pointer dereference occurs.

CC: stable@vger.kernel.org
Signed-off-by: Venkatraman S <svenkatr@ti.com>
---
 drivers/mmc/host/omap_hsmmc.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/mmc/host/omap_hsmmc.c b/drivers/mmc/host/omap_hsmmc.c
index 5434fd8..06d2e03 100644
--- a/drivers/mmc/host/omap_hsmmc.c
+++ b/drivers/mmc/host/omap_hsmmc.c
@@ -996,7 +996,8 @@ static void omap_hsmmc_do_irq(struct omap_hsmmc_host *host, int status)
 		else if (status & (CMD_CRC | DATA_CRC))
 			hsmmc_command_incomplete(host, -EILSEQ);
 
-		end_cmd = 1;
+		if (host->cmd)
+			end_cmd = 1;
 		if (host->data || host->response_busy) {
 			end_trans = 1;
 			host->response_busy = 0;