git.ipfire.org Git - thirdparty/kernel/linux.git/commit

author	Johan Hovold <johan@kernel.org>
	Fri, 27 Mar 2026 10:52:06 +0000 (11:52 +0100)
committer	Ulf Hansson <ulf.hansson@linaro.org>
	Tue, 31 Mar 2026 11:11:20 +0000 (13:11 +0200)
commit	8f4d20a710225ec7a565f6a0459862d3b1f32330
tree	9b85d27df14602762383f3fe47f3992960d44eb9	tree \| snapshot
parent	dff34ef879c5e73298443956a8b391311ba78d57	commit \| diff

mmc: vub300: fix use-after-free on disconnect

The vub300 driver maintains an explicit reference count for the
controller and its driver data and the last reference can in theory be
dropped after the driver has been unbound.

This specifically means that the controller allocation must not be
device managed as that can lead to use-after-free.

Note that the lifetime is currently also incorrectly tied the parent USB
device rather than interface, which can lead to memory leaks if the
driver is unbound without its device being physically disconnected (e.g.
on probe deferral).

Fix both issues by reverting to non-managed allocation of the controller.

Fixes: dcfdd698dc52 ("mmc: vub300: Use devm_mmc_alloc_host() helper")
Cc: stable@vger.kernel.org # 6.17+
Cc: Binbin Zhou <zhoubinbin@loongson.cn>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>