From patchwork Mon Nov 5 19:45:16 2012 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Chris Ball X-Patchwork-Id: 1700151 Return-Path: X-Original-To: patchwork-linux-mmc@patchwork.kernel.org Delivered-To: patchwork-process-083081@patchwork2.kernel.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by patchwork2.kernel.org (Postfix) with ESMTP id E0B8ADF2AB for ; Mon, 5 Nov 2012 19:45:26 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753036Ab2KETpZ (ORCPT ); Mon, 5 Nov 2012 14:45:25 -0500 Received: from void.printf.net ([89.145.121.20]:56855 "EHLO void.printf.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752677Ab2KETpX (ORCPT ); Mon, 5 Nov 2012 14:45:23 -0500 Received: from c-76-24-28-220.hsd1.ma.comcast.net ([76.24.28.220] helo=octavius.laptop.org) by void.printf.net with esmtpsa (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16) (Exim 4.69) (envelope-from ) id 1TVSbn-0007oO-Ok; Mon, 05 Nov 2012 19:45:20 +0000 From: Chris Ball To: Aaron Lu Cc: Girish K S , Subhash Jadavani , Philip Rakity , , Aaron Lu Subject: Re: [PATCH v2] mmc: sdhci: fix incorrect command used in tuning References: <1341307669-20834-1-git-send-email-aaron.lu@amd.com> Date: Mon, 05 Nov 2012 14:45:16 -0500 In-Reply-To: <1341307669-20834-1-git-send-email-aaron.lu@amd.com> (Aaron Lu's message of "Tue, 3 Jul 2012 17:27:49 +0800") Message-ID: <87wqxzal6b.fsf@octavius.laptop.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.1 (gnu/linux) MIME-Version: 1.0 Sender: linux-mmc-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-mmc@vger.kernel.org Hi Aaron, On Tue, Jul 03 2012, Aaron Lu wrote: > */ > if ((host->flags & SDHCI_NEEDS_RETUNING) && > !(present_state & (SDHCI_DOING_WRITE | SDHCI_DOING_READ))) { > + /* eMMC uses cmd21 while sd and sdio use cmd19 */ > + tuning_opcode = mmc->card->type == MMC_TYPE_MMC ? > + MMC_SEND_TUNING_BLOCK_HS200 : > + MMC_SEND_TUNING_BLOCK; This is causing a NULL deref crash here when run on host controllers with no card inserted -- mmc->card is NULL, as you'd expect, yet it's dereferenced anyway. Maybe the system you tested it on only has an eMMC, so you never noticed that it crashes if there's no card present? Or maybe it's abnormal for host controllers to set SDHCI_NEEDS_RETUNING when there's no card present? In any case, this has hit 3.[345]-stable now, so we're causing crashes for people who weren't seeing a crash before they pulled -stable. :( The patch below just checks mmc->card before dereferencing it -- does this look like the correct fix to you? Subject: [PATCH] mmc: sdhci: Fix NULL dereference in sdhci_request() tuning code Commit 473b095a72a9 ("mmc: sdhci: fix incorrect command used in tuning") introduced a NULL dereference if an SD 3.0 host controller raises the SDHCI_NEEDS_TUNING flag while no card is inserted. Signed-off-by: Chris Ball --- drivers/mmc/host/sdhci.c | 23 +++++++++++++---------- 1 file changed, 13 insertions(+), 10 deletions(-) diff --git a/drivers/mmc/host/sdhci.c b/drivers/mmc/host/sdhci.c index 07a5346..2e1175d 100644 --- a/drivers/mmc/host/sdhci.c +++ b/drivers/mmc/host/sdhci.c @@ -1294,16 +1294,19 @@ static void sdhci_request(struct mmc_host *mmc, struct mmc_request *mrq) */ if ((host->flags & SDHCI_NEEDS_RETUNING) && !(present_state & (SDHCI_DOING_WRITE | SDHCI_DOING_READ))) { - /* eMMC uses cmd21 while sd and sdio use cmd19 */ - tuning_opcode = mmc->card->type == MMC_TYPE_MMC ? - MMC_SEND_TUNING_BLOCK_HS200 : - MMC_SEND_TUNING_BLOCK; - spin_unlock_irqrestore(&host->lock, flags); - sdhci_execute_tuning(mmc, tuning_opcode); - spin_lock_irqsave(&host->lock, flags); - - /* Restore original mmc_request structure */ - host->mrq = mrq; + if (mmc->card) { + /* eMMC uses cmd21 but sd and sdio use cmd19 */ + tuning_opcode = + mmc->card->type == MMC_TYPE_MMC ? + MMC_SEND_TUNING_BLOCK_HS200 : + MMC_SEND_TUNING_BLOCK; + spin_unlock_irqrestore(&host->lock, flags); + sdhci_execute_tuning(mmc, tuning_opcode); + spin_lock_irqsave(&host->lock, flags); + + /* Restore original mmc_request structure */ + host->mrq = mrq; + } } if (mrq->sbc && !(host->flags & SDHCI_AUTO_CMD23))