mmc: block: Fix invalid data from freed request pointer

when we do blk_end_request*, request pointer may get freed.
Therefore cache request_queue * & tag value at start itself
instead of dereferencing already freed request_queue pointer.

Change-Id: I35def3ef6a260ebe78e92874ac121aca529f00cf
Signed-off-by: Ritesh Harjani <riteshh@codeaurora.org>

drivers/mmc/card/block.c

@@ -3092,6 +3092,8 @@ static void mmc_blk_cmdq_err(struct mmc_queue *mq)
 	struct mmc_request *mrq = host->err_mrq;
 	struct mmc_card *card = mq->card;
 	struct mmc_cmdq_context_info *ctx_info = &host->cmdq_ctx;
+	struct request_queue *q = mrq->req->q;
+	int tag = mrq->req->tag;
 
 	mmc_rpm_hold(host, &card->dev);
 	mmc_host_clk_hold(host);
@@ -3131,12 +3133,12 @@ static void mmc_blk_cmdq_err(struct mmc_queue *mq)
 			err = send_stop(card, &stop_status);
 			if (err) {
 				pr_err("%s: error %d sending stop command\n",
-				       mrq->req->rq_disk->disk_name, err);
+				       mmc_hostname(host), err);
 				goto reset;
 			}
 		}
 
-		if (mmc_cmdq_discard_queue(host, mrq->req->tag))
+		if (mmc_cmdq_discard_queue(host, tag))
 			goto reset;
 		else
 			goto unhalt;
@@ -3148,7 +3150,7 @@ static void mmc_blk_cmdq_err(struct mmc_queue *mq)
 
 reset:
 	spin_lock_irq(mq->queue->queue_lock);
-	blk_queue_invalidate_tags(mrq->req->q);
+	blk_queue_invalidate_tags(q);
 	spin_unlock_irq(mq->queue->queue_lock);
 	mmc_blk_cmdq_reset(host, true);
 	goto out;
@@ -3161,7 +3163,7 @@ out:
 	mmc_rpm_release(host, &card->dev);
 
 	if (test_and_clear_bit(0, &ctx_info->req_starved))
-		blk_run_queue(mrq->req->q);
+		blk_run_queue(q);
 }
 
 /* invoked by block layer in softirq context */