DM365 NULL pointer dereference when removing unmounted SD card: drivers/mmc/host/davinci_mmc.c / mmc_davinci_dma_cb()

Thu, 25 Jun 2009 17:09:53 -0700 

I was testing the SD card support in the latest linux-davinci GIT tree.
I had read a file from SD and then written a file.  Before removing the
SD card, I unmounted it (ext2 FS).

Here is the console output: umount command, info that the card removal
was detected, and the  first bit of the kernel dump:

# umount /tmp/mnt
# mmc0: card b368 removed
davinci_mmc davinci_mmc.0: DMA read error
Unable to handle kernel NULL pointer dereference at virtual address
00000010
pgd = c0004000
[00000010] *pgd=00000000
Internal error: Oops: 817 [#1] PREEMPT
Modules linked in:
CPU: 0    Not tainted  (2.6.30-davinci1-05997-g35265ab #7)
PC is at mmc_davinci_dma_cb+0x54/0x74
LR is at mmc_davinci_dma_cb+0x4c/0x74
pc : [<c01bbf30>]    lr : [<c01bbf28>]    psr: 20000013
sp : c0303ef8  ip : c0303e60  fp : 00000000
r10: 00000000  r9 : 00000001  r8 : 00002040
r7 : 00000300  r6 : 00000308  r5 : 00000000  r4 : c798a760
r3 : fffffffb  r2 : 00000000  r1 : 80000013  r0 : 0000002d
Flags: nzCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment kernel
Control: 0005317f  Table: 87a38000  DAC: 00000017
Process swapper (pid: 0, stack limit = 0xc0302268)
Stack: (0xc0303ef8 to 0xc0304000)
3ee0:                                                       0000001b
c0030854 
3f00: 00000011 00000000 c0332bd0 c7807b80 00000011 00000001 00000000
00000000 
3f20: c0302000 8001ecb4 00000000 c00629a0 c0302000 c030b294 00000011
c7807b80 
3f40: c0332bd0 c0064a60 00000011 00000000 c03065e4 00000002 00000001
c0026050 
3f60: 00000001 ffffffff fec48000 c0026a0c 00000000 0005317f 0005217f
60000013 
3f80: c0027ddc c0302000 c03065e4 c0027ddc c031e808 41069265 8001ecb4
00000000 
3fa0: 600000d3 c0303fb8 c0027e1c c0027e28 60000013 ffffffff 00000000
c0027cc0 
3fc0: c0332d5c c031e7dc c0020ee4 c0306430 8001ece8 c0008b60 c00084ec
00000000 
3fe0: 00000000 c0020ee4 00053175 c031e838 c00212e8 80008034 00000000
00000000 
[<c01bbf30>] (mmc_davinci_dma_cb+0x54/0x74) from [<c0030854>]
(dma_ccerr_handler+0xf0/0x1e4)

In looking in the vmlinux.o file, I found 

00195edc l     F .text  00000074 mmc_davinci_dma_cb

using objdump and going off of : PC is at mmc_davinci_dma_cb+0x54/0x74

0x52C + 0x54 - 0x580

0000052c <mmc_davinci_dma_cb>:
 52c:   e3510001        cmp     r1, #1  ; 0x1
 530:   e92d4010        push    {r4, lr}
 534:   e1a04002        mov     r4, r2
 538:   08bd8010        popeq   {r4, pc}
 53c:   e5923008        ldr     r3, [r2, #8]
 540:   e5930000        ldr     r0, [r3]
 544:   ebfffffe        bl      0 <dev_driver_string>
 548:   e5943004        ldr     r3, [r4, #4]
 54c:   e5942008        ldr     r2, [r4, #8]
 550:   e5933014        ldr     r3, [r3, #20]
 554:   e1a01000        mov     r1, r0
 558:   e3130c01        tst     r3, #256        ; 0x100
 55c:   e5920000        ldr     r0, [r2]
 560:   e59f302c        ldr     r3, [pc, #44]   ; 594 <mmc_davinci_dma_cb+0x68>
 564:   e59f202c        ldr     r2, [pc, #44]   ; 598 <mmc_davinci_dma_cb+0x6c>
 568:   01a03002        moveq   r3, r2
 56c:   e5902008        ldr     r2, [r0, #8]
 570:   e59f0024        ldr     r0, [pc, #36]   ; 59c <mmc_davinci_dma_cb+0x70>
 574:   ebfffffe        bl      0 <printk>
 578:   e5942004        ldr     r2, [r4, #4]
 57c:   e3e03004        mvn     r3, #4  ; 0x4
 580:   e5823010        str     r3, [r2, #16]
 584:   e5941004        ldr     r1, [r4, #4]
 588:   e1a00004        mov     r0, r4
 58c:   e8bd4010        pop     {r4, lr}
 590:   eaffffa0        b       418 <mmc_davinci_xfer_done>

I take it to mean the seg fault happened at

 580:   e5823010        str     r3, [r2, #16]

The source routine is rather short

static void mmc_davinci_dma_cb(unsigned channel, u16 ch_status, void
*data)
{
        if (DMA_COMPLETE != ch_status) {
                struct mmc_davinci_host *host = data;

                /* Currently means:  DMA Event Missed, or "null" transfer
                 * request was seen.  In the future, TC errors (like bad
                 * addresses) might be presented too.
                 */
                dev_warn(mmc_dev(host->mmc), "DMA %s error\n",
                        (host->data->flags & MMC_DATA_WRITE)
                                ? "write" : "read");
                host->data->error = -EIO;
                mmc_davinci_xfer_done(host, host->data);
        }
}

I found:

include/asm-generic/errno-base.h:#define EIO 5 /* I/O error */

so

 57c:   e3e03004        mvn     r3, #4  ; 0x4

and reading that mvn is move NOT, which translates to -5 (0xFB) being
stored r3, meaning the C line that had a NULL pointer dereference is

host->data->error = -EIO;

Should mmc_davinci_dma_cb() check that host->data is not null?

Todd

P.S. I'm a bit confused as to why host->data->flags didn't fail first if
host->data is null.


_______________________________________________
Davinci-linux-open-source mailing list
[email protected]
http://linux.davincidsp.com/mailman/listinfo/davinci-linux-open-source

Reply via email to