[ 59/66] mmc: sdhci: fix NULL dereference in sdhci_request() tuning

From: Greg Kroah-Hartman
Date: Wed Nov 14 2012 - 23:29:31 EST

Next message: Greg Kroah-Hartman: "[ 57/66] futex: Handle futex_pi OWNER_DIED take over correctly"
Previous message: Greg Kroah-Hartman: "[ 58/66] mmc: sh_mmcif: fix use after free"
In reply to: Greg Kroah-Hartman: "[ 58/66] mmc: sh_mmcif: fix use after free"
Next in thread: Greg Kroah-Hartman: "[ 57/66] futex: Handle futex_pi OWNER_DIED take over correctly"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

3.6-stable review patch. If anyone has any objections, please let me know.

------------------

From: Chris Ball <cjb@xxxxxxxxxx>

commit 14efd957209461bbdf285bf0d67e931955d04a4c upstream.

Commit 473b095a72a9 ("mmc: sdhci: fix incorrect command used in tuning")
introduced a NULL dereference at resume-time if an SD 3.0 host controller
raises the SDHCI_NEEDS_TUNING flag while no card is inserted. Seen on an
OLPC XO-4 with sdhci-pxav3, but presumably affects other controllers too.

Signed-off-by: Chris Ball <cjb@xxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>

---
drivers/mmc/host/sdhci.c | 21 ++++++++++++---------
1 file changed, 12 insertions(+), 9 deletions(-)

--- a/drivers/mmc/host/sdhci.c
+++ b/drivers/mmc/host/sdhci.c
@@ -1307,16 +1307,19 @@ static void sdhci_request(struct mmc_hos
*/
if ((host->flags & SDHCI_NEEDS_RETUNING) &&
!(present_state & (SDHCI_DOING_WRITE | SDHCI_DOING_READ))) {
- /* eMMC uses cmd21 while sd and sdio use cmd19 */
- tuning_opcode = mmc->card->type == MMC_TYPE_MMC ?
- MMC_SEND_TUNING_BLOCK_HS200 :
- MMC_SEND_TUNING_BLOCK;
- spin_unlock_irqrestore(&host->lock, flags);
- sdhci_execute_tuning(mmc, tuning_opcode);
- spin_lock_irqsave(&host->lock, flags);
+ if (mmc->card) {
+ /* eMMC uses cmd21 but sd and sdio use cmd19 */
+ tuning_opcode =
+ mmc->card->type == MMC_TYPE_MMC ?
+ MMC_SEND_TUNING_BLOCK_HS200 :
+ MMC_SEND_TUNING_BLOCK;
+ spin_unlock_irqrestore(&host->lock, flags);
+ sdhci_execute_tuning(mmc, tuning_opcode);
+ spin_lock_irqsave(&host->lock, flags);

- /* Restore original mmc_request structure */
- host->mrq = mrq;
+ /* Restore original mmc_request structure */
+ host->mrq = mrq;
+ }
}

if (mrq->sbc && !(host->flags & SDHCI_AUTO_CMD23))

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Greg Kroah-Hartman: "[ 57/66] futex: Handle futex_pi OWNER_DIED take over correctly"
Previous message: Greg Kroah-Hartman: "[ 58/66] mmc: sh_mmcif: fix use after free"
In reply to: Greg Kroah-Hartman: "[ 58/66] mmc: sh_mmcif: fix use after free"
Next in thread: Greg Kroah-Hartman: "[ 57/66] futex: Handle futex_pi OWNER_DIED take over correctly"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]