From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Wed, 9 Feb 2022 13:08:59 +0000 (+0100)
Subject: 4.14-stable patches
X-Git-Tag: v4.9.301~17
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=7739f628c14aa58f129b0c2d9b17a4612644d170;p=thirdparty%2Fkernel%2Fstable-queue.git

4.14-stable patches

added patches:
	moxart-fix-potential-use-after-free-on-remove-path.patch
---

diff --git a/queue-4.14/moxart-fix-potential-use-after-free-on-remove-path.patch b/queue-4.14/moxart-fix-potential-use-after-free-on-remove-path.patch
new file mode 100644
index 00000000000..9a1fc643f25
--- /dev/null
+++ b/queue-4.14/moxart-fix-potential-use-after-free-on-remove-path.patch
@@ -0,0 +1,46 @@
+From bd2db32e7c3e35bd4d9b8bbff689434a50893546 Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Thu, 27 Jan 2022 08:16:38 +0100
+Subject: moxart: fix potential use-after-free on remove path
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+commit bd2db32e7c3e35bd4d9b8bbff689434a50893546 upstream.
+
+It was reported that the mmc host structure could be accessed after it
+was freed in moxart_remove(), so fix this by saving the base register of
+the device and using it instead of the pointer dereference.
+
+Cc: Ulf Hansson <ulf.hansson@linaro.org>
+Cc: Xiyu Yang <xiyuyang19@fudan.edu.cn>
+Cc: Xin Xiong <xiongx18@fudan.edu.cn>
+Cc: Xin Tan <tanxin.ctf@gmail.com>
+Cc: Tony Lindgren <tony@atomide.com>
+Cc: Yang Li <yang.lee@linux.alibaba.com>
+Cc: linux-mmc@vger.kernel.org
+Cc: stable <stable@vger.kernel.org>
+Reported-by: whitehat002 <hackyzh002@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Link: https://lore.kernel.org/r/20220127071638.4057899-1-gregkh@linuxfoundation.org
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/moxart-mmc.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/mmc/host/moxart-mmc.c
++++ b/drivers/mmc/host/moxart-mmc.c
+@@ -696,12 +696,12 @@ static int moxart_remove(struct platform
+ 		if (!IS_ERR(host->dma_chan_rx))
+ 			dma_release_channel(host->dma_chan_rx);
+ 		mmc_remove_host(mmc);
+-		mmc_free_host(mmc);
+ 
+ 		writel(0, host->base + REG_INTERRUPT_MASK);
+ 		writel(0, host->base + REG_POWER_CONTROL);
+ 		writel(readl(host->base + REG_CLOCK_CONTROL) | CLK_OFF,
+ 		       host->base + REG_CLOCK_CONTROL);
++		mmc_free_host(mmc);
+ 	}
+ 	return 0;
+ }
diff --git a/queue-4.14/series b/queue-4.14/series
index cf94f67b753..8a9e665bdad 100644
--- a/queue-4.14/series
+++ b/queue-4.14/series
@@ -1 +1,2 @@
 cgroup-v1-require-capabilities-to-set-release_agent.patch
+moxart-fix-potential-use-after-free-on-remove-path.patch