mmc: fix host release issue after discard operation

commit f662ae48ae67dfd42739e65750274fe8de46240a upstream. Under function mmc_blk_issue_rq, after an MMC discard operation, the MMC request data structure may be freed in memory. Later in the same function, the check of req->cmd_flags & MMC_REQ_SPECIAL_MASK is dangerous and invalid. It causes the MMC host not to be released when it should. This patch fixes the issue by marking the special request down before the discard/flush operation. Reported by: Harold (SoonYeal) Yang <haroldsy@broadcom.com> Signed-off-by: Ray Jui <rjui@broadcom.com> Reviewed-by: Seungwon Jeon <tgih.jun@samsung.com> Acked-by: Seungwon Jeon <tgih.jun@samsung.com> Signed-off-by: Chris Ball <cjb@laptop.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
author: Ray Jui <rjui@broadcom.com> 2013-10-26 14:03:44 -0400
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2014-02-13 16:48:00 -0500
commit: 1e06335d339132ecbb4196ede2cf1c2b618b0121 (patch)
tree: e71c8b075b122f0191a645a212e04cfb90f76299 /drivers/mmc/card
parent: 48526149964e69fc54a06c409e13d36990386464 (diff)
1 files changed, 4 insertions, 3 deletions
diff --git a/drivers/mmc/card/block.c b/drivers/mmc/card/block.c
index 76a3d3a752d8..9aca9462a12f 100644
--- a/drivers/mmc/card/block.c
+++ b/drivers/mmc/card/block.c
@@ -1931,6 +1931,7 @@ static int mmc_blk_issue_rq(struct mmc_queue *mq, struct request *req)
        struct mmc_card *card = md->queue.card;
        struct mmc_host *host = card->host;
        unsigned long flags;
+        unsigned int cmd_flags = req ? req->cmd_flags : 0;
        if (req && !mq->mqrq_prev->req)
                /* claim host only for the first request */
@@ -1946,7 +1947,7 @@ static int mmc_blk_issue_rq(struct mmc_queue *mq, struct request *req)
        }
        mq->flags &= ~MMC_QUEUE_NEW_REQUEST;
-        if (req && req->cmd_flags & REQ_DISCARD) {
+        if (cmd_flags & REQ_DISCARD) {
                /* complete ongoing async transfer before issuing discard */
                if (card->host->areq)
                        mmc_blk_issue_rw_rq(mq, NULL);
@@ -1955,7 +1956,7 @@ static int mmc_blk_issue_rq(struct mmc_queue *mq, struct request *req)
                        ret = mmc_blk_issue_secdiscard_rq(mq, req);
                else
                        ret = mmc_blk_issue_discard_rq(mq, req);
-        } else if (req && req->cmd_flags & REQ_FLUSH) {
+        } else if (cmd_flags & REQ_FLUSH) {
                /* complete ongoing async transfer before issuing flush */
                if (card->host->areq)
                        mmc_blk_issue_rw_rq(mq, NULL);
@@ -1971,7 +1972,7 @@ static int mmc_blk_issue_rq(struct mmc_queue *mq, struct request *req)
 out:
        if ((!req && !(mq->flags & MMC_QUEUE_NEW_REQUEST)) ||
-             (req && (req->cmd_flags & MMC_REQ_SPECIAL_MASK)))
+             (cmd_flags & MMC_REQ_SPECIAL_MASK))
                /*
                 * Release host when there are no more requests
                 * and after special request(discard, flush) is done.
author	Ray Jui <rjui@broadcom.com>	2013-10-26 14:03:44 -0400
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2014-02-13 16:48:00 -0500
commit	1e06335d339132ecbb4196ede2cf1c2b618b0121 (patch)
tree	e71c8b075b122f0191a645a212e04cfb90f76299 /drivers/mmc/card
parent	48526149964e69fc54a06c409e13d36990386464 (diff)