--- /dev/null
+From bd2db32e7c3e35bd4d9b8bbff689434a50893546 Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Thu, 27 Jan 2022 08:16:38 +0100
+Subject: moxart: fix potential use-after-free on remove path
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+commit bd2db32e7c3e35bd4d9b8bbff689434a50893546 upstream.
+
+It was reported that the mmc host structure could be accessed after it
+was freed in moxart_remove(), so fix this by saving the base register of
+the device and using it instead of the pointer dereference.
+
+Cc: Ulf Hansson <ulf.hansson@linaro.org>
+Cc: Xiyu Yang <xiyuyang19@fudan.edu.cn>
+Cc: Xin Xiong <xiongx18@fudan.edu.cn>
+Cc: Xin Tan <tanxin.ctf@gmail.com>
+Cc: Tony Lindgren <tony@atomide.com>
+Cc: Yang Li <yang.lee@linux.alibaba.com>
+Cc: linux-mmc@vger.kernel.org
+Cc: stable <stable@vger.kernel.org>
+Reported-by: whitehat002 <hackyzh002@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Link: https://lore.kernel.org/r/20220127071638.4057899-1-gregkh@linuxfoundation.org
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/moxart-mmc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/mmc/host/moxart-mmc.c
++++ b/drivers/mmc/host/moxart-mmc.c
+@@ -708,12 +708,12 @@ static int moxart_remove(struct platform
+ if (!IS_ERR_OR_NULL(host->dma_chan_rx))
+ dma_release_channel(host->dma_chan_rx);
+ mmc_remove_host(mmc);
+- mmc_free_host(mmc);
+
+ writel(0, host->base + REG_INTERRUPT_MASK);
+ writel(0, host->base + REG_POWER_CONTROL);
+ writel(readl(host->base + REG_CLOCK_CONTROL) | CLK_OFF,
+ host->base + REG_CLOCK_CONTROL);
++ mmc_free_host(mmc);
+
+ return 0;
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
