linux/drivers/mmc/core
Shawn Lin 7c84b8b43d mmc: block: bypass the queue even if usage is present for hotplug
The commit 304419d8a7 ("mmc: core: Allocate per-request data using the
block layer core") refactored mechanism of queue handling caused
mmc_init_request() can be called just after mmc_cleanup_queue() caused null
pointer dereference.

Another commit bbdc74dc19 ("mmc: block: Prevent new req entering queue
after its cleanup") tried to fix the problem. However it actually miss one
corner case.

We could still reproduce the issue mentioned with these steps:
(1) insert a SD card and mount it
(2) hotplug it, so it will leave md->usage still be counted
(3) reboot the system which will sync data and umount the card

[Unable to handle kernel NULL pointer dereference at virtual address
00000000
[user pgtable: 4k pages, 48-bit VAs, pgd = ffff80007bab3000
[[0000000000000000] *pgd=000000007a828003, *pud=0000000078dce003,
*pmd=000000007aab6003, *pte=0000000000000000
[Internal error: Oops: 96000007 [#1] PREEMPT SMP
[Modules linked in:
[CPU: 3 PID: 3507 Comm: umount Tainted: G        W
4.13.0-rc1-next-20170720-00012-g9d9bf45 #33
[Hardware name: Firefly-RK3399 Board (DT)
[task: ffff80007a1de200 task.stack: ffff80007a01c000
[PC is at mmc_init_request+0x14/0xc4
[LR is at alloc_request_size+0x4c/0x74
[pc : [<ffff0000087d7150>] lr : [<ffff000008378fe0>] pstate: 600001c5
[sp : ffff80007a01f8f0

....

[[<ffff0000087d7150>] mmc_init_request+0x14/0xc4
[[<ffff000008378fe0>] alloc_request_size+0x4c/0x74
[[<ffff00000817ac28>] mempool_create_node+0xb8/0x17c
[[<ffff00000837aadc>] blk_init_rl+0x9c/0x120
[[<ffff000008396580>] blkg_alloc+0x110/0x234
[[<ffff000008396ac8>] blkg_create+0x424/0x468
[[<ffff00000839877c>] blkg_lookup_create+0xd8/0x14c
[[<ffff0000083796bc>] generic_make_request_checks+0x368/0x3b0
[[<ffff00000837b050>] generic_make_request+0x1c/0x240

So mmc_blk_put wouldn't calling blk_cleanup_queue which actually the
QUEUE_FLAG_DYING and QUEUE_FLAG_BYPASS should stay. Block core expect
blk_queue_bypass_{start, end} internally to bypass/drain the queue before
actually dying the queue, so it didn't expose API to set the queue bypass.
I think we should set QUEUE_FLAG_BYPASS whenever queue is removed, although
the md->usage is still counted, as no dispatch queue could be found then.

Fixes: 304419d8a7 ("mmc: core: Allocate per-request data using the block layer core")
Signed-off-by: Shawn Lin <shawn.lin@rock-chips.com>
Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
2017-08-03 11:00:39 +02:00
..
Kconfig mmc: core: Delete bounce buffer Kconfig option 2017-06-20 10:30:17 +02:00
Makefile mmc: core: change quirks.c to be a header file 2017-02-15 11:34:26 +01:00
block.c mmc: block: bypass the queue even if usage is present for hotplug 2017-08-03 11:00:39 +02:00
block.h mmc: block: stop passing around pointless return values 2017-02-13 13:20:40 +01:00
bus.c mmc: core: Move public functions from host.h to private headers 2017-02-13 13:20:25 +01:00
bus.h mmc: core: Move public functions from card.h to private headers 2017-02-13 13:20:24 +01:00
card.h mmc: core: change quirks.c to be a header file 2017-02-15 11:34:26 +01:00
core.c mmc: slot-gpio: Add support to enable irq wake on cd_irq 2017-06-20 10:30:49 +02:00
core.h mmc: core: Rename __mmc_set_signal_voltage() to mmc_set_signal_voltage() 2017-02-13 13:20:43 +01:00
debugfs.c mmc: core: Move public functions from host.h to private headers 2017-02-13 13:20:25 +01:00
host.c mmc: core: Use device_property_read instead of of_property_read 2017-06-20 10:30:30 +02:00
host.h mmc: core: Move public functions from host.h to private headers 2017-02-13 13:20:25 +01:00
mmc.c mmc: core: Remove MMC_CAP2_HC_ERASE_SZ 2017-06-20 10:30:48 +02:00
mmc_ops.c mmc: core: Clarify code for sending CSD 2017-06-20 10:30:47 +02:00
mmc_ops.h mmc: core: Re-factor code for sending CID 2017-06-20 10:30:45 +02:00
mmc_test.c mmc: core: Delete error messages for failed memory allocations 2017-06-20 10:30:21 +02:00
pwrseq.c mmc: pwrseq: Add reset callback to the struct mmc_pwrseq_ops 2017-06-20 10:30:09 +02:00
pwrseq.h mmc: pwrseq: Add reset callback to the struct mmc_pwrseq_ops 2017-06-20 10:30:09 +02:00
pwrseq_emmc.c mmc: core: Don't do eMMC HW reset when resuming the eMMC card 2017-06-20 10:30:10 +02:00
pwrseq_sd8787.c mmc: pwrseq: add support for Marvell SD8787 chip 2017-02-13 13:20:33 +01:00
pwrseq_simple.c mmc: pwrseq_simple: Parse DTS for the power-off-delay-us property 2017-05-23 14:17:36 +02:00
queue.c MMC core: 2017-07-04 11:11:56 -07:00
queue.h mmc: block: Move boot partition locking into a driver op 2017-06-20 10:30:26 +02:00
quirks.h mmc: core: add mmc prefix for blk_fixups 2017-02-15 11:34:27 +01:00
sd.c mmc: core: Re-factor code for sending CID 2017-06-20 10:30:45 +02:00
sd.h mmc: core: First step in cleaning up private mmc header files 2017-02-13 13:20:20 +01:00
sd_ops.c mmc: core: add proper be32 annotation 2017-04-24 21:42:19 +02:00
sd_ops.h mmc: core: add proper be32 annotation 2017-04-24 21:42:19 +02:00
sdio.c mmc: sdio: Keep card runtime resumed while adding function devices 2017-06-20 10:30:39 +02:00
sdio_bus.c mmc: sdio: fix alignment issue in struct sdio_func 2017-04-18 19:18:07 +02:00
sdio_bus.h mmc: core: First step in cleaning up private mmc header files 2017-02-13 13:20:20 +01:00
sdio_cis.c mmc: core: remove BUG_ONs from sdio 2016-12-05 10:31:08 +01:00
sdio_cis.h mmc: core: First step in cleaning up private mmc header files 2017-02-13 13:20:20 +01:00
sdio_io.c mmc: core: simplify return code 2017-04-24 21:41:24 +02:00
sdio_irq.c mmc: sdio: Add API to manage SDIO IRQs from a workqueue 2017-06-20 10:30:11 +02:00
sdio_ops.c mmc: sdio: improve mmc_io_rw_extended 2017-04-24 21:41:42 +02:00
sdio_ops.h mmc: sdio: Add API to manage SDIO IRQs from a workqueue 2017-06-20 10:30:11 +02:00
sdio_uart.c mmc: block: Move files to core 2016-12-12 16:30:05 +01:00
slot-gpio.c mmc: slot-gpio: Add support to enable irq wake on cd_irq 2017-06-20 10:30:49 +02:00
slot-gpio.h mmc: core: First step in cleaning up private mmc header files 2017-02-13 13:20:20 +01:00