Revision bbdc74dc19e09ac4e71bfb219596b3d5bc786720 authored by Grzegorz Sluja on 13 July 2017, 09:17:58 UTC, committed by Ulf Hansson on 13 July 2017, 09:44:01 UTC
The commit 304419d8a7e9 ("mmc: core: Allocate per-request data using the
block layer core"), refactored the mechanism of queue handling, but also
made mmc_init_request() to be called after mmc_cleanup_queue(). This
triggers a null pointer dereference:
[ 683.123791] BUG: unable to handle kernel NULL pointer dereference at (null)
[ 683.123801] IP: mmc_init_request+0x2c/0xf0 [mmc_block]
...
[ 683.123905] Call Trace:
[ 683.123913] alloc_request_size+0x4f/0x70
[ 683.123919] mempool_alloc+0x5f/0x150
[ 683.123925] ? __enqueue_entity+0x6c/0x70
[ 683.123928] get_request+0x3ad/0x720
[ 683.123933] ? prepare_to_wait_event+0x110/0x110
[ 683.123937] blk_queue_bio+0xc1/0x3a0
[ 683.123940] generic_make_request+0xf8/0x2a0
[ 683.123942] submit_bio+0x75/0x150
[ 683.123947] submit_bio_wait+0x51/0x70
[ 683.123951] blkdev_issue_flush+0x5c/0x90
[ 683.123956] ext4_sync_fs+0x171/0x1b0
[ 683.123961] sync_filesystem+0x73/0x90
[ 683.123965] fsync_bdev+0x24/0x50
[ 683.123971] invalidate_partition+0x24/0x50
[ 683.123973] del_gendisk+0xb2/0x2a0
[ 683.123977] mmc_blk_remove_req.part.38+0x71/0xa0 [mmc_block]
[ 683.123980] mmc_blk_remove+0xba/0x190 [mmc_block]
[ 683.123990] mmc_bus_remove+0x1a/0x20 [mmc_core]
[ 683.123995] device_release_driver_internal+0x141/0x200
[ 683.123999] device_release_driver+0x12/0x20
[ 683.124001] bus_remove_device+0xfd/0x170
[ 683.124004] device_del+0x1e8/0x330
[ 683.124012] mmc_remove_card+0x60/0xc0 [mmc_core]
[ 683.124019] mmc_remove+0x19/0x30 [mmc_core]
[ 683.124025] mmc_stop_host+0xfb/0x1a0 [mmc_core]
[ 683.124032] mmc_remove_host+0x1a/0x40 [mmc_core]
[ 683.124037] sdhci_remove_host+0x2e/0x1c0 [mmc_sdhci]
[ 683.124042] sdhci_pci_remove_slot+0x3f/0x80 [sdhci_pci]
[ 683.124045] sdhci_pci_remove+0x39/0x70 [sdhci_pci]
[ 683.124049] pci_device_remove+0x39/0xc0
[ 683.124052] device_release_driver_internal+0x141/0x200
[ 683.124056] driver_detach+0x3f/0x80
[ 683.124059] bus_remove_driver+0x55/0xd0
[ 683.124062] driver_unregister+0x2c/0x50
[ 683.124065] pci_unregister_driver+0x29/0x90
[ 683.124069] sdhci_driver_exit+0x10/0x4f3 [sdhci_pci]
[ 683.124073] SyS_delete_module+0x171/0x250
[ 683.124078] entry_SYSCALL_64_fastpath+0x1e/0xa9
Fix this by setting the queue DYING flag before cleanup the queue, as it
prevents new reqs from entering the queue.
Signed-off-by: Grzegorz Sluja <grzegorzx.sluja@intel.com>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Fixes: 304419d8a7e9 ("mmc: core: Allocate per-request data using the...")
[Ulf: Updated the changelog]
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
1 parent aab2ee0
| File | Mode | Size |
|---|---|---|
| bitops | ||
| 4level-fixup.h | -rw-r--r-- | 1.0 KB |
| 5level-fixup.h | -rw-r--r-- | 1.1 KB |
| asm-offsets.h | -rw-r--r-- | 35 bytes |
| asm-prototypes.h | -rw-r--r-- | 468 bytes |
| atomic-long.h | -rw-r--r-- | 6.8 KB |
| atomic.h | -rw-r--r-- | 5.1 KB |
| atomic64.h | -rw-r--r-- | 2.2 KB |
| audit_change_attr.h | -rw-r--r-- | 445 bytes |
| audit_dir_write.h | -rw-r--r-- | 416 bytes |
| audit_read.h | -rw-r--r-- | 202 bytes |
| audit_signal.h | -rw-r--r-- | 36 bytes |
| audit_write.h | -rw-r--r-- | 377 bytes |
| barrier.h | -rw-r--r-- | 5.6 KB |
| bitops.h | -rw-r--r-- | 1.1 KB |
| bitsperlong.h | -rw-r--r-- | 553 bytes |
| bug.h | -rw-r--r-- | 6.4 KB |
| bugs.h | -rw-r--r-- | 228 bytes |
| cache.h | -rw-r--r-- | 345 bytes |
| cacheflush.h | -rw-r--r-- | 1.3 KB |
| checksum.h | -rw-r--r-- | 2.2 KB |
| clkdev.h | -rw-r--r-- | 706 bytes |
| cmpxchg-local.h | -rw-r--r-- | 1.4 KB |
| cmpxchg.h | -rw-r--r-- | 2.2 KB |
| current.h | -rw-r--r-- | 217 bytes |
| delay.h | -rw-r--r-- | 1.1 KB |
| device.h | -rw-r--r-- | 245 bytes |
| div64.h | -rw-r--r-- | 6.9 KB |
| dma-contiguous.h | -rw-r--r-- | 199 bytes |
| dma.h | -rw-r--r-- | 514 bytes |
| early_ioremap.h | -rw-r--r-- | 1.5 KB |
| emergency-restart.h | -rw-r--r-- | 209 bytes |
| exec.h | -rw-r--r-- | 697 bytes |
| export.h | -rw-r--r-- | 2.2 KB |
| extable.h | -rw-r--r-- | 763 bytes |
| fb.h | -rw-r--r-- | 232 bytes |
| fixmap.h | -rw-r--r-- | 2.8 KB |
| ftrace.h | -rw-r--r-- | 460 bytes |
| futex.h | -rw-r--r-- | 3.7 KB |
| getorder.h | -rw-r--r-- | 1.4 KB |
| gpio.h | -rw-r--r-- | 4.4 KB |
| hardirq.h | -rw-r--r-- | 493 bytes |
| hugetlb.h | -rw-r--r-- | 806 bytes |
| hw_irq.h | -rw-r--r-- | 270 bytes |
| ide_iops.h | -rw-r--r-- | 752 bytes |
| int-ll64.h | -rw-r--r-- | 893 bytes |
| io.h | -rw-r--r-- | 19.6 KB |
| ioctl.h | -rw-r--r-- | 467 bytes |
| iomap.h | -rw-r--r-- | 3.1 KB |
| irq.h | -rw-r--r-- | 364 bytes |
| irq_regs.h | -rw-r--r-- | 980 bytes |
| irq_work.h | -rw-r--r-- | 155 bytes |
| irqflags.h | -rw-r--r-- | 1.5 KB |
| kdebug.h | -rw-r--r-- | 143 bytes |
| kmap_types.h | -rw-r--r-- | 159 bytes |
| kprobes.h | -rw-r--r-- | 829 bytes |
| kvm_para.h | -rw-r--r-- | 441 bytes |
| linkage.h | -rw-r--r-- | 225 bytes |
| local.h | -rw-r--r-- | 2.2 KB |
| local64.h | -rw-r--r-- | 3.8 KB |
| mcs_spinlock.h | -rw-r--r-- | 260 bytes |
| memory_model.h | -rw-r--r-- | 2.1 KB |
| mm-arch-hooks.h | -rw-r--r-- | 388 bytes |
| mm_hooks.h | -rw-r--r-- | 837 bytes |
| mmu.h | -rw-r--r-- | 410 bytes |
| mmu_context.h | -rw-r--r-- | 842 bytes |
| module.h | -rw-r--r-- | 1.1 KB |
| msi.h | -rw-r--r-- | 799 bytes |
| page.h | -rw-r--r-- | 2.4 KB |
| param.h | -rw-r--r-- | 328 bytes |
| parport.h | -rw-r--r-- | 565 bytes |
| pci.h | -rw-r--r-- | 542 bytes |
| pci_iomap.h | -rw-r--r-- | 2.0 KB |
| percpu.h | -rw-r--r-- | 12.2 KB |
| pgalloc.h | -rw-r--r-- | 303 bytes |
| pgtable-nop4d-hack.h | -rw-r--r-- | 1.8 KB |
| pgtable-nop4d.h | -rw-r--r-- | 1.6 KB |
| pgtable-nopmd.h | -rw-r--r-- | 1.9 KB |
| pgtable-nopud.h | -rw-r--r-- | 1.9 KB |
| pgtable.h | -rw-r--r-- | 26.2 KB |
| preempt.h | -rw-r--r-- | 1.9 KB |
| ptrace.h | -rw-r--r-- | 1.6 KB |
| qrwlock.h | -rw-r--r-- | 5.0 KB |
| qrwlock_types.h | -rw-r--r-- | 431 bytes |
| qspinlock.h | -rw-r--r-- | 4.2 KB |
| qspinlock_types.h | -rw-r--r-- | 2.3 KB |
| resource.h | -rw-r--r-- | 1.0 KB |
| rwsem.h | -rw-r--r-- | 3.0 KB |
| seccomp.h | -rw-r--r-- | 1.3 KB |
| sections.h | -rw-r--r-- | 4.5 KB |
| segment.h | -rw-r--r-- | 249 bytes |
| serial.h | -rw-r--r-- | 306 bytes |
| set_memory.h | -rw-r--r-- | 323 bytes |
| signal.h | -rw-r--r-- | 269 bytes |
| simd.h | -rw-r--r-- | 397 bytes |
| sizes.h | -rw-r--r-- | 78 bytes |
| spinlock.h | -rw-r--r-- | 290 bytes |
| statfs.h | -rw-r--r-- | 130 bytes |
| string.h | -rw-r--r-- | 281 bytes |
| switch_to.h | -rw-r--r-- | 992 bytes |
| syscall.h | -rw-r--r-- | 6.2 KB |
| syscalls.h | -rw-r--r-- | 700 bytes |
| termios-base.h | -rw-r--r-- | 2.1 KB |
| termios.h | -rw-r--r-- | 2.8 KB |
| timex.h | -rw-r--r-- | 469 bytes |
| tlb.h | -rw-r--r-- | 9.1 KB |
| tlbflush.h | -rw-r--r-- | 446 bytes |
| topology.h | -rw-r--r-- | 2.1 KB |
| trace_clock.h | -rw-r--r-- | 352 bytes |
| uaccess-unaligned.h | -rw-r--r-- | 733 bytes |
| uaccess.h | -rw-r--r-- | 5.2 KB |
| unaligned.h | -rw-r--r-- | 1.0 KB |
| unistd.h | -rw-r--r-- | 279 bytes |
| user.h | -rw-r--r-- | 242 bytes |
| vga.h | -rw-r--r-- | 548 bytes |
| vmlinux.lds.h | -rw-r--r-- | 27.3 KB |
| vtime.h | -rw-r--r-- | 52 bytes |
| word-at-a-time.h | -rw-r--r-- | 2.7 KB |
| xor.h | -rw-r--r-- | 13.6 KB |
Computing file changes ...
