From patchwork Mon May 13 17:55:19 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Raul Rangel X-Patchwork-Id: 10941445 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 718DD924 for ; Mon, 13 May 2019 17:56:24 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 62A83277D9 for ; Mon, 13 May 2019 17:56:24 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 56FD0283C3; Mon, 13 May 2019 17:56:24 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id E5BA92838B for ; Mon, 13 May 2019 17:56:23 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731960AbfEMR4I (ORCPT ); Mon, 13 May 2019 13:56:08 -0400 Received: from mail-io1-f68.google.com ([209.85.166.68]:38396 "EHLO mail-io1-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731903AbfEMR4H (ORCPT ); Mon, 13 May 2019 13:56:07 -0400 Received: by mail-io1-f68.google.com with SMTP id x24so3338800ion.5 for ; Mon, 13 May 2019 10:56:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=MOJlVvk72P8k3dgBOfAuZ6psp1YU3jhKdn1gghNxATc=; b=lPXRNxMEfmEkBJ2JUsjOiFAB5IEvtszF9GsXLLMymQMTdTHjTPbfYklCtmKqqzsBsd lri1kvgtlPeYqK0uEdFt59OYdYa92ka9CGgkut/59X+m+eEkSgzRWRakGDjBllvStYuu JsxjEMd48GtJP9UCCx2xlye3dZGp2QpPbz1Ws= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=MOJlVvk72P8k3dgBOfAuZ6psp1YU3jhKdn1gghNxATc=; b=sT20x0Oj3NUzDrdsicOlGWJ2hmgJU+KMtzvc8hCUcJbZ7jDeGLCKJtHWXsD+c8udFI CLplXNL/qnB7Ily0jqadNOsJqslIWQIFkYIRj36LZXnWsakVic+dnudsig1KKcCdi2mX NQ4wT/yTpBftkq+dS4JyAmMmQAw8nJSwwVw9LGLeU9CxHr8B5uj2J4ZOrF31wBglUvQ4 XN29IKepYFhf5KraJ5C+KsCPQ+YSVvjUTTo7RcLmbl7a4cxqHRL1ekJcvSY8GSSf3Bx+ mEYPYGnZEuPWhq2mRvB0kXp06oqRZvhtmvluqq1gAWEvmGNnzOHSBfC8weReGD8Isa34 a/JQ== X-Gm-Message-State: APjAAAXp4emJ8MUSuUycnUM7WaePRSnVY/B1M3KnFPvD4yPJCezv+YNr 4T3gM6CpeBT/VNH1BOMfLbd7VA== X-Google-Smtp-Source: APXvYqyjGAWAfDCCM4xTLO+p8nZzYQLlCZMDQSDHg94cFNw98HntOIFCUWAFBUlFJKi0x2U/1Ny1yw== X-Received: by 2002:a6b:e618:: with SMTP id g24mr14509690ioh.138.1557770166634; Mon, 13 May 2019 10:56:06 -0700 (PDT) Received: from localhost ([2620:15c:183:0:20b8:dee7:5447:d05]) by smtp.gmail.com with ESMTPSA id l80sm78323ita.15.2019.05.13.10.56.05 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 13 May 2019 10:56:06 -0700 (PDT) From: Raul E Rangel To: stable@vger.kernel.org Cc: linux-mmc@vger.kernel.org, djkurtz@google.com, adrian.hunter@intel.com, zwisler@chromium.org, Linus Walleij , Ulf Hansson , Raul E Rangel , linux-kernel@vger.kernel.org, Chris Boot , =?utf-8?b?Q2w=?= =?utf-8?b?w6ltZW50IFDDqXJvbg==?= , Greg Kroah-Hartman Subject: [stable/4.14.y PATCH 1/3] mmc: block: Simplify cleaning up the queue Date: Mon, 13 May 2019 11:55:19 -0600 Message-Id: <20190513175521.84955-2-rrangel@chromium.org> X-Mailer: git-send-email 2.21.0.1020.gf2820cf01a-goog In-Reply-To: <20190513175521.84955-1-rrangel@chromium.org> References: <20190513175521.84955-1-rrangel@chromium.org> MIME-Version: 1.0 Sender: linux-mmc-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-mmc@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP From: Adrian Hunter Use blk_cleanup_queue() to shutdown the queue when the driver is removed, and instead get an extra reference to the queue to prevent the queue being freed before the final mmc_blk_put(). Signed-off-by: Adrian Hunter Acked-by: Linus Walleij Signed-off-by: Ulf Hansson Tested-by: Linus Walleij Signed-off-by: Raul E Rangel --- commit 41e3efd07d5a02c80f503e29d755aa1bbb4245de upstream. drivers/mmc/core/block.c | 17 ++++++++++++----- drivers/mmc/core/queue.c | 2 ++ 2 files changed, 14 insertions(+), 5 deletions(-) diff --git a/drivers/mmc/core/block.c b/drivers/mmc/core/block.c index ce6dd49fbb98d..203038fb85111 100644 --- a/drivers/mmc/core/block.c +++ b/drivers/mmc/core/block.c @@ -161,7 +161,7 @@ static void mmc_blk_put(struct mmc_blk_data *md) md->usage--; if (md->usage == 0) { int devidx = mmc_get_devidx(md->disk); - blk_cleanup_queue(md->queue.queue); + blk_put_queue(md->queue.queue); ida_simple_remove(&mmc_blk_ida, devidx); put_disk(md->disk); kfree(md); @@ -2122,6 +2122,17 @@ static struct mmc_blk_data *mmc_blk_alloc_req(struct mmc_card *card, md->queue.blkdata = md; + /* + * Keep an extra reference to the queue so that we can shutdown the + * queue (i.e. call blk_cleanup_queue()) while there are still + * references to the 'md'. The corresponding blk_put_queue() is in + * mmc_blk_put(). + */ + if (!blk_get_queue(md->queue.queue)) { + mmc_cleanup_queue(&md->queue); + goto err_putdisk; + } + md->disk->major = MMC_BLOCK_MAJOR; md->disk->first_minor = devidx * perdev_minors; md->disk->fops = &mmc_bdops; @@ -2272,10 +2283,6 @@ static void mmc_blk_remove_req(struct mmc_blk_data *md) * from being accepted. */ card = md->queue.card; - spin_lock_irq(md->queue.queue->queue_lock); - queue_flag_set(QUEUE_FLAG_BYPASS, md->queue.queue); - spin_unlock_irq(md->queue.queue->queue_lock); - blk_set_queue_dying(md->queue.queue); mmc_cleanup_queue(&md->queue); if (md->disk->flags & GENHD_FL_UP) { device_remove_file(disk_to_dev(md->disk), &md->force_ro); diff --git a/drivers/mmc/core/queue.c b/drivers/mmc/core/queue.c index 0a4e77a5ba33f..d99fa4e63033c 100644 --- a/drivers/mmc/core/queue.c +++ b/drivers/mmc/core/queue.c @@ -259,6 +259,8 @@ void mmc_cleanup_queue(struct mmc_queue *mq) blk_start_queue(q); spin_unlock_irqrestore(q->queue_lock, flags); + blk_cleanup_queue(q); + mq->card = NULL; } EXPORT_SYMBOL(mmc_cleanup_queue); From patchwork Mon May 13 17:55:20 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Raul Rangel X-Patchwork-Id: 10941443 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 4B22A933 for ; Mon, 13 May 2019 17:56:24 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 3851B277D9 for ; Mon, 13 May 2019 17:56:24 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 29BA1283C9; Mon, 13 May 2019 17:56:24 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id C129E277D9 for ; Mon, 13 May 2019 17:56:23 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731959AbfEMR4W (ORCPT ); Mon, 13 May 2019 13:56:22 -0400 Received: from mail-io1-f68.google.com ([209.85.166.68]:42169 "EHLO mail-io1-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731958AbfEMR4J (ORCPT ); Mon, 13 May 2019 13:56:09 -0400 Received: by mail-io1-f68.google.com with SMTP id g16so10765892iom.9 for ; Mon, 13 May 2019 10:56:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=p4CcdC3vdWD2Ui0Aq/H7gzZ1C57rvc/Ii4BGhP7cjj0=; b=jGDNIPu60fcw0f1WOvGi2tiKVlqgSg6Fb/ykouk/D0JwoTi++nbdU6LgpBsSRtkySy 4lRd4qsd9DOHTnqJqxcNk6a5pTsQ00tkar43dO1wkrNPX8qlyLdVF6AvEh5z41HyZoJI Pok4kVtpBr4M4GRyNifnkmEg2fAZxeJgyDt4E= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=p4CcdC3vdWD2Ui0Aq/H7gzZ1C57rvc/Ii4BGhP7cjj0=; b=W7xx/dnLIupzMvxfGz1pBLNV8xorPl3SVY7LAKRGz0XEs/B4GIeKcpxtEvHzZIpS0p AsxtlcQOz7Gd0LCdqO3uk1EJPum4nTFSTDgHI0txB3MldUOQr+G236saaCRLHg7MCLfe XFoMXyi0GQ5DgUBOgFIM3MgOXt4u0AtSHTdf0xRvkG4T4YyIsyZBf/XovPV+A8nbdY+M Zmh1+V7xbs2YvFnNFKyX8LOgJukUcwjxgnIxb3/VLvoDn15SoXFH1H9o8HkFwbAX5zLp KLXaIHORSa4QuE7QivPosi0M1mtgPlThyh6chzuQnstChCUcAdrM7Ecm+PBrXR1qe6wb KDUA== X-Gm-Message-State: APjAAAU+NIXduLCTwwq+CVNDeLAJrvaFGtWemfY5et3crwdBllwrdF57 0WLeUOQNpWYk4KYklFh8VMiX1A== X-Google-Smtp-Source: APXvYqzAf+DYtvpVdAY20sTIyvRr5z31svR51Zlph4CBmXYtO25zPoTjHPP0ujCD+kCxytw8tX9ufA== X-Received: by 2002:a05:6602:211a:: with SMTP id x26mr15415876iox.202.1557770168407; Mon, 13 May 2019 10:56:08 -0700 (PDT) Received: from localhost ([2620:15c:183:0:20b8:dee7:5447:d05]) by smtp.gmail.com with ESMTPSA id l13sm88548iti.6.2019.05.13.10.56.07 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 13 May 2019 10:56:08 -0700 (PDT) From: Raul E Rangel To: stable@vger.kernel.org Cc: linux-mmc@vger.kernel.org, djkurtz@google.com, adrian.hunter@intel.com, zwisler@chromium.org, Raul E Rangel , Linus Walleij , linux-kernel@vger.kernel.org, Ulf Hansson Subject: [stable/4.14.y PATCH 2/3] mmc: Fix null pointer dereference in mmc_init_request Date: Mon, 13 May 2019 11:55:20 -0600 Message-Id: <20190513175521.84955-3-rrangel@chromium.org> X-Mailer: git-send-email 2.21.0.1020.gf2820cf01a-goog In-Reply-To: <20190513175521.84955-1-rrangel@chromium.org> References: <20190513175521.84955-1-rrangel@chromium.org> MIME-Version: 1.0 Sender: linux-mmc-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-mmc@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP It is possible for queuedata to be cleared in mmc_cleanup_queue before the request has been started. This will result in dereferencing a null pointer. Signed-off-by: Raul E Rangel --- drivers/mmc/core/queue.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/drivers/mmc/core/queue.c b/drivers/mmc/core/queue.c index d99fa4e63033c..bd7d521d5ad9d 100644 --- a/drivers/mmc/core/queue.c +++ b/drivers/mmc/core/queue.c @@ -159,8 +159,14 @@ static int mmc_init_request(struct request_queue *q, struct request *req, { struct mmc_queue_req *mq_rq = req_to_mmc_queue_req(req); struct mmc_queue *mq = q->queuedata; - struct mmc_card *card = mq->card; - struct mmc_host *host = card->host; + struct mmc_card *card; + struct mmc_host *host; + + if (!mq) + return -ENODEV; + + card = mq->card; + host = card->host; mq_rq->sg = mmc_alloc_sg(host->max_segs, gfp); if (!mq_rq->sg) From patchwork Mon May 13 17:55:21 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Raul Rangel X-Patchwork-Id: 10941441 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id BF90D924 for ; Mon, 13 May 2019 17:56:16 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id B27F0277D9 for ; Mon, 13 May 2019 17:56:16 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id A6912283C3; Mon, 13 May 2019 17:56:16 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 49DFA277D9 for ; Mon, 13 May 2019 17:56:16 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728114AbfEMR4L (ORCPT ); Mon, 13 May 2019 13:56:11 -0400 Received: from mail-it1-f195.google.com ([209.85.166.195]:35275 "EHLO mail-it1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731969AbfEMR4K (ORCPT ); Mon, 13 May 2019 13:56:10 -0400 Received: by mail-it1-f195.google.com with SMTP id u186so478538ith.0 for ; Mon, 13 May 2019 10:56:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=lPaL2VEX/hSzV1Wc4p9/qEgeMAItoGsdR21BQw+ZGgc=; b=ARYpG6dN7VA7JmzpN7iB8t24Q93Bs6/DdHTBoAsd+5raGiTu7FqD+BYziUnlJ4Rp+Y wCr/Yh+DJEHs+d9DKa3pvhCyovheuxA3h8Rki86q2vUhH9XapHiWstb7lKO5mGzAs4zQ Y4RKB4BdHnyuR7Hhlae2ru23Jqhqd2tvCguB4= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=lPaL2VEX/hSzV1Wc4p9/qEgeMAItoGsdR21BQw+ZGgc=; b=iRLPCjwwrPTSFaP9t6kpAL3ztJuZCbQSqjOu2XONBAD9yZPjWcUY83OTHeLdZbagep Lz1VRnj3A6VBmNXUoxv1sZkPtQGUlNorS2QKCFTwx1wLJE2wDojz4rVT1V3UmknsMJ1x hzDPH+Vjf0yXbEyczeodVyePaYxBfsCz7ymBmVcMdj4P8C5raJ9hn48tSKpnuqognqRJ Qq43lyaHBjls1QELWQbXV7Q87xg/f3w1Ck7ZF+1A01P2KVGaNBU4qnAW1+ZO6zIG/x3H qU2QNgHURwQCQ4NfSpewiZRVSy+V69iXnA+431zVaMZLpylALEUxpqUV9CqrMzs7ajHt YUnw== X-Gm-Message-State: APjAAAU2riBChEh638jYTKwkT/TjC9CpcqhejZtr29PjRZxBIA6k4hpj ZiLWZvg4UJMp7V++eIl3+U8jCw== X-Google-Smtp-Source: APXvYqwH4/GTy25BEvta0lp/d2+77OUftVtWL1TgrCCI35CS1y+6wKWgOoyZX4rEHnEhXACB7JjPRA== X-Received: by 2002:a05:660c:2ce:: with SMTP id j14mr336633itd.70.1557770169403; Mon, 13 May 2019 10:56:09 -0700 (PDT) Received: from localhost ([2620:15c:183:0:20b8:dee7:5447:d05]) by smtp.gmail.com with ESMTPSA id i203sm113538iti.7.2019.05.13.10.56.08 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 13 May 2019 10:56:09 -0700 (PDT) From: Raul E Rangel To: stable@vger.kernel.org Cc: linux-mmc@vger.kernel.org, djkurtz@google.com, adrian.hunter@intel.com, zwisler@chromium.org, Raul E Rangel , Linus Walleij , linux-kernel@vger.kernel.org, Ulf Hansson Subject: [stable/4.14.y PATCH 3/3] mmc: Kill the request if the queuedata has been removed Date: Mon, 13 May 2019 11:55:21 -0600 Message-Id: <20190513175521.84955-4-rrangel@chromium.org> X-Mailer: git-send-email 2.21.0.1020.gf2820cf01a-goog In-Reply-To: <20190513175521.84955-1-rrangel@chromium.org> References: <20190513175521.84955-1-rrangel@chromium.org> MIME-Version: 1.0 Sender: linux-mmc-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-mmc@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP No reason to even try processing the request if the queue is shutting down. Signed-off-by: Raul E Rangel --- drivers/mmc/core/queue.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/mmc/core/queue.c b/drivers/mmc/core/queue.c index bd7d521d5ad9d..e7ac7163fafa4 100644 --- a/drivers/mmc/core/queue.c +++ b/drivers/mmc/core/queue.c @@ -30,7 +30,7 @@ static int mmc_prep_request(struct request_queue *q, struct request *req) { struct mmc_queue *mq = q->queuedata; - if (mq && (mmc_card_removed(mq->card) || mmc_access_rpmb(mq))) + if (!mq || mmc_card_removed(mq->card) || mmc_access_rpmb(mq)) return BLKPREP_KILL; req->rq_flags |= RQF_DONTPREP;