| Message ID | 1550843494-9457-1-git-send-email-riteshh@codeaurora.org (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | mmc: core: Fix NULL ptr crash from mmc_should_fail_request | expand |
On 2/22/19 5:51 AM, Ritesh Harjani wrote: > In case of CQHCI, mrq->cmd may be NULL for data requests (non DCMD). > In such case mmc_should_fail_request is directly dereferencing > mrq->cmd while cmd is NULL. > Fix this by checking for mrq->cmd pointer. > > Fixes: 72a5af554df8 ("mmc: core: Add support for handling CQE requests") > Signed-off-by: Ritesh Harjani <riteshh@codeaurora.org> > --- > drivers/mmc/core/core.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/mmc/core/core.c b/drivers/mmc/core/core.c > index de0f1a1..4a66087 100644 > --- a/drivers/mmc/core/core.c > +++ b/drivers/mmc/core/core.c > @@ -95,7 +95,7 @@ static void mmc_should_fail_request(struct mmc_host *host, > if (!data) > return; > > - if (cmd->error || data->error || > + if ((cmd && cmd->error) || data->error || > !should_fail(&host->fail_mmc_request, data->blksz * data->blocks)) > return; > > Reporter says this fixes the problem
On 2/26/2019 6:14 AM, Laura Abbott wrote: > On 2/22/19 5:51 AM, Ritesh Harjani wrote: >> In case of CQHCI, mrq->cmd may be NULL for data requests (non DCMD). >> In such case mmc_should_fail_request is directly dereferencing >> mrq->cmd while cmd is NULL. >> Fix this by checking for mrq->cmd pointer. >> >> Fixes: 72a5af554df8 ("mmc: core: Add support for handling CQE requests") >> Signed-off-by: Ritesh Harjani <riteshh@codeaurora.org> >> --- >> drivers/mmc/core/core.c | 2 +- >> 1 file changed, 1 insertion(+), 1 deletion(-) >> >> diff --git a/drivers/mmc/core/core.c b/drivers/mmc/core/core.c >> index de0f1a1..4a66087 100644 >> --- a/drivers/mmc/core/core.c >> +++ b/drivers/mmc/core/core.c >> @@ -95,7 +95,7 @@ static void mmc_should_fail_request(struct mmc_host >> *host, >> if (!data) >> return; >> - if (cmd->error || data->error || >> + if ((cmd && cmd->error) || data->error || >> !should_fail(&host->fail_mmc_request, data->blksz * >> data->blocks)) >> return; >> > > Reporter says this fixes the problem Sure, thanks Laura for confirming. Hi Ulf, Could you please pick this fix. Regards Ritesh
On Fri, 22 Feb 2019 at 14:51, Ritesh Harjani <riteshh@codeaurora.org> wrote: > > In case of CQHCI, mrq->cmd may be NULL for data requests (non DCMD). > In such case mmc_should_fail_request is directly dereferencing > mrq->cmd while cmd is NULL. > Fix this by checking for mrq->cmd pointer. > > Fixes: 72a5af554df8 ("mmc: core: Add support for handling CQE requests") > Signed-off-by: Ritesh Harjani <riteshh@codeaurora.org> Applied for fixes and by adding a stable tag, thanks! Kind regards Uffe > --- > drivers/mmc/core/core.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/mmc/core/core.c b/drivers/mmc/core/core.c > index de0f1a1..4a66087 100644 > --- a/drivers/mmc/core/core.c > +++ b/drivers/mmc/core/core.c > @@ -95,7 +95,7 @@ static void mmc_should_fail_request(struct mmc_host *host, > if (!data) > return; > > - if (cmd->error || data->error || > + if ((cmd && cmd->error) || data->error || > !should_fail(&host->fail_mmc_request, data->blksz * data->blocks)) > return; > > -- > The Qualcomm Innovation Center, Inc. is a member of Code Aurora Forum, > a Linux Foundation Collaborative Project. >
diff --git a/drivers/mmc/core/core.c b/drivers/mmc/core/core.c index de0f1a1..4a66087 100644 --- a/drivers/mmc/core/core.c +++ b/drivers/mmc/core/core.c @@ -95,7 +95,7 @@ static void mmc_should_fail_request(struct mmc_host *host, if (!data) return; - if (cmd->error || data->error || + if ((cmd && cmd->error) || data->error || !should_fail(&host->fail_mmc_request, data->blksz * data->blocks)) return;
In case of CQHCI, mrq->cmd may be NULL for data requests (non DCMD). In such case mmc_should_fail_request is directly dereferencing mrq->cmd while cmd is NULL. Fix this by checking for mrq->cmd pointer. Fixes: 72a5af554df8 ("mmc: core: Add support for handling CQE requests") Signed-off-by: Ritesh Harjani <riteshh@codeaurora.org> --- drivers/mmc/core/core.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)