RE: [PATCH] mmc: core: Fix null pointer dereference in bus_shutdown

"Seunghui Lee" <sh043.lee@xxxxxxxxxxx> · Fri, 26 Jan 2024 14:16:57 +0900

> -----Original Message-----
> From: Greg KH <gregkh@xxxxxxxxxxxxxxxxxxx>
> Sent: Friday, January 19, 2024 5:21 PM
> To: Seunghui Lee <sh043.lee@xxxxxxxxxxx>
> Cc: linux-mmc@xxxxxxxxxxxxxxx; linux-kernel@xxxxxxxxxxxxxxx;
> ulf.hansson@xxxxxxxxxx; avri.altman@xxxxxxx; grant.jung@xxxxxxxxxxx;
> jt77.jang@xxxxxxxxxxx; dh0421.hwang@xxxxxxxxxxx; junwoo80.lee@xxxxxxxxxxx;
> jangsub.yi@xxxxxxxxxxx; cw9316.lee@xxxxxxxxxxx; sh8267.baek@xxxxxxxxxxx;
> wkon.kim@xxxxxxxxxxx
> Subject: Re: [PATCH] mmc: core: Fix null pointer dereference in
> bus_shutdown
> 
> On Fri, Jan 19, 2024 at 04:32:47PM +0900, Seunghui Lee wrote:
> > When shutting down removable device,
> > it can be occurred null pointer dereference.
> 
> How?
> 
> And please wrap your lines properly.
> 
> > To prevent null pointer dereference,
> > At first, check null pointer.
> > Next, block rescan worker to scan removable device during shutdown.
> 
> Why do two things?
> 
> >
> > Signed-off-by: Seunghui Lee <sh043.lee@xxxxxxxxxxx>
> > ---
> >  drivers/mmc/core/bus.c | 10 +++++++++-
> >  1 file changed, 9 insertions(+), 1 deletion(-)
> >
> > diff --git a/drivers/mmc/core/bus.c b/drivers/mmc/core/bus.c index
> > 0af96548e7da..4f370a6577aa 100644
> > --- a/drivers/mmc/core/bus.c
> > +++ b/drivers/mmc/core/bus.c
> > @@ -143,9 +143,17 @@ static void mmc_bus_shutdown(struct device *dev)
> > {
> >  	struct mmc_driver *drv = to_mmc_driver(dev->driver);
> >  	struct mmc_card *card = mmc_dev_to_card(dev);
> > -	struct mmc_host *host = card->host;
> > +	struct mmc_host *host;
> >  	int ret;
> >
> > +	if (!drv || !card) {
> > +		pr_debug("%s: drv or card is NULL.\n", dev_name(dev));
> 
> What is this going to help with?  And why not use dev_dbg()?
> 
> How can drv ever be NULL?  That looks impossible to me based on just the
> code shown here.
> 
> > +		return;
> > +	}
> > +
> > +	host = card->host;
> 
> Why is this change needed?  This line can go back to the top just fine,
> right?
> 
> > +	host->rescan_disable = 1;
> 
> Shouldn't this be a separate change?  And what happens if the check for
> this is right before you set it?  Where is the locking to prevent the
> issue you are attempting to solve?
> 
> thanks,
> 
> greg k-h

I've checked the issue again.
This patch is not the proper solution.
I'll reject this patch.
Hi, Thank you for your comment.