Linux 3.6.7

[thirdparty/kernel/stable-queue.git] / releases / 3.6.7 / mmc-sh_mmcif-fix-use-after-free.patch

diff --git a/releases/3.6.7/mmc-sh_mmcif-fix-use-after-free.patch b/releases/3.6.7/mmc-sh_mmcif-fix-use-after-free.patch
new file mode 100644 (file)
index 0000000..91c58e0
--- /dev/null
+++ b/releases/3.6.7/mmc-sh_mmcif-fix-use-after-free.patch
@@ -0,0 +1,35 @@
+From a0d28ba01ebd048b4ba418142b37f5cf80e6d156 Mon Sep 17 00:00:00 2001
+From: Guennadi Liakhovetski <g.liakhovetski@gmx.de>
+Date: Tue, 23 Oct 2012 14:08:52 +0200
+Subject: mmc: sh_mmcif: fix use after free
+
+From: Guennadi Liakhovetski <g.liakhovetski@gmx.de>
+
+commit a0d28ba01ebd048b4ba418142b37f5cf80e6d156 upstream.
+
+A recent commit "mmc: sh_mmcif: fix clock management" has introduced a
+use after free bug in sh_mmcif.c: in sh_mmcif_remove() the call to
+mmc_free_host() frees private driver data, therefore using it afterwards
+is a bug. Revert that hunk.
+
+Signed-off-by: Guennadi Liakhovetski <g.liakhovetski@gmx.de>
+Signed-off-by: Chris Ball <cjb@laptop.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mmc/host/sh_mmcif.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/mmc/host/sh_mmcif.c
++++ b/drivers/mmc/host/sh_mmcif.c
+@@ -1464,9 +1464,9 @@ static int __devexit sh_mmcif_remove(str
+ 
+       platform_set_drvdata(pdev, NULL);
+ 
++      clk_disable(host->hclk);
+       mmc_free_host(host->mmc);
+       pm_runtime_put_sync(&pdev->dev);
+-      clk_disable(host->hclk);
+       pm_runtime_disable(&pdev->dev);
+ 
+       return 0;