linux/drivers/mmc/core
Frank Li b0ea155fa4 mmc: cqhci: Fix random crash when remove mmc module/card
commit f06391c45e83f9a731045deb23df7cc3814fd795 upstream.

[ 6684.493350] Unable to handle kernel paging request at virtual address ffff800011c5b0f0
[ 6684.498531] mmc0: card 0001 removed
[ 6684.501556] Mem abort info:
[ 6684.509681]   ESR = 0x96000047
[ 6684.512786]   EC = 0x25: DABT (current EL), IL = 32 bits
[ 6684.518394]   SET = 0, FnV = 0
[ 6684.521707]   EA = 0, S1PTW = 0
[ 6684.524998] Data abort info:
[ 6684.528236]   ISV = 0, ISS = 0x00000047
[ 6684.532986]   CM = 0, WnR = 1
[ 6684.536129] swapper pgtable: 4k pages, 48-bit VAs, pgdp=0000000081b22000
[ 6684.543923] [ffff800011c5b0f0] pgd=00000000bffff003, p4d=00000000bffff003, pud=00000000bfffe003, pmd=00000000900e1003, pte=0000000000000000
[ 6684.557915] Internal error: Oops: 96000047 [#1] PREEMPT SMP
[ 6684.564240] Modules linked in: sdhci_esdhc_imx(-) sdhci_pltfm sdhci cqhci mmc_block mmc_core fsl_jr_uio caam_jr caamkeyblob_desc caamhash_desc caamalg_desc crypto_engine rng_core authenc libdes crct10dif_ce flexcan can_dev caam error [last unloaded: mmc_core]
[ 6684.587281] CPU: 0 PID: 79138 Comm: kworker/0:3H Not tainted 5.10.9-01410-g3ba33182767b-dirty #10
[ 6684.596160] Hardware name: Freescale i.MX8DXL EVK (DT)
[ 6684.601320] Workqueue: kblockd blk_mq_run_work_fn

[ 6684.606094] pstate: 40000005 (nZcv daif -PAN -UAO -TCO BTYPE=--)
[ 6684.612286] pc : cqhci_request+0x148/0x4e8 [cqhci]
^GMessage from syslogd@  at Thu Jan  1 01:51:24 1970 ...[ 6684.617085] lr : cqhci_request+0x314/0x4e8 [cqhci]
[ 6684.626734] sp : ffff80001243b9f0
[ 6684.630049] x29: ffff80001243b9f0 x28: ffff00002c3dd000
[ 6684.635367] x27: 0000000000000001 x26: 0000000000000001
[ 6684.640690] x25: ffff00002c451000 x24: 000000000000000f
[ 6684.646007] x23: ffff000017e71c80 x22: ffff00002c451000
[ 6684.651326] x21: ffff00002c0f3550 x20: ffff00002c0f3550
[ 6684.656651] x19: ffff000017d46880 x18: ffff00002cea1500
[ 6684.661977] x17: 0000000000000000 x16: 0000000000000000
[ 6684.667294] x15: 000001ee628e3ed1 x14: 0000000000000278
[ 6684.672610] x13: 0000000000000001 x12: 0000000000000001
[ 6684.677927] x11: 0000000000000000 x10: 0000000000000000
[ 6684.683243] x9 : 000000000000002b x8 : 0000000000001000
[ 6684.688560] x7 : 0000000000000010 x6 : ffff00002c0f3678
[ 6684.693886] x5 : 000000000000000f x4 : ffff800011c5b000
[ 6684.699211] x3 : 000000000002d988 x2 : 0000000000000008
[ 6684.704537] x1 : 00000000000000f0 x0 : 0002d9880008102f
[ 6684.709854] Call trace:
[ 6684.712313]  cqhci_request+0x148/0x4e8 [cqhci]
[ 6684.716803]  mmc_cqe_start_req+0x58/0x68 [mmc_core]
[ 6684.721698]  mmc_blk_mq_issue_rq+0x460/0x810 [mmc_block]
[ 6684.727018]  mmc_mq_queue_rq+0x118/0x2b0 [mmc_block]

The problem occurs when cqhci_request() get called after cqhci_disable() as
it leads to access of allocated memory that has already been freed. Let's
fix the problem by calling cqhci_disable() a bit later in the remove path.

Signed-off-by: Frank Li <Frank.Li@nxp.com>
Diagnosed-by: Adrian Hunter <adrian.hunter@intel.com>
Acked-by: Adrian Hunter <adrian.hunter@intel.com>
Link: https://lore.kernel.org/r/20210303174248.542175-1-Frank.Li@nxp.com
Fixes: f690f4409d ("mmc: mmc: Enable CQE's")
Cc: stable@vger.kernel.org
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2021-03-17 17:03:48 +01:00
..
block.c mmc: block: Fixup condition for CMD13 polling for RPMB requests 2020-12-16 10:56:58 +01:00
block.h
bus.c mmc: cqhci: Fix random crash when remove mmc module/card 2021-03-17 17:03:48 +01:00
bus.h
card.h
core.c mmc: core: Respect MMC_CAP_NEED_RSP_BUSY for erase/trim/discard 2020-04-01 11:01:27 +02:00
core.h mmc: core: Re-work HW reset for SDIO cards 2019-12-21 11:04:24 +01:00
debugfs.c
host.c mmc: core: Rework wp-gpio handling 2020-02-19 19:53:10 +01:00
host.h
Kconfig
Makefile
mmc_ops.c mmc: core: Allow host controllers to require R1B for CMD6 2020-04-01 11:01:27 +02:00
mmc_ops.h
mmc_test.c
mmc.c mmc: core: Fix partition switch time for eMMC 2021-03-17 17:03:48 +01:00
pwrseq_emmc.c
pwrseq_sd8787.c
pwrseq_simple.c
pwrseq.c
pwrseq.h
queue.c mmc: core: don't initialize block size from ext_csd if not present 2021-01-27 11:47:41 +01:00
queue.h
quirks.h mmc: core: fix wl1251 sdio quirks 2020-01-26 10:01:07 +01:00
regulator.c
sd_ops.c
sd_ops.h
sd.c
sd.h
sdio_bus.c mmc: core: Re-work HW reset for SDIO cards 2019-12-21 11:04:24 +01:00
sdio_bus.h
sdio_cis.c mmc: core: Limit retries when analyse of SDIO tuples fails 2021-02-10 09:25:30 +01:00
sdio_cis.h
sdio_io.c
sdio_irq.c
sdio_ops.c mmc: sdio: Use mmc_pre_req() / mmc_post_req() 2020-09-17 13:47:53 +02:00
sdio_ops.h
sdio_uart.c
sdio.c mmc: sdio: Fix several potential memory leaks in mmc_sdio_init_card() 2020-06-17 16:40:38 +02:00
slot-gpio.c mmc: core: Rework wp-gpio handling 2020-02-19 19:53:10 +01:00
slot-gpio.h