From: Magnus Damm <damm@opensource.se>
Date: Wed, 11 Mar 2009 12:59:03 +0000 (+0900)
Subject: tmio_mmc: Fix use after free in remove()
X-Git-Tag: firefly_0821_release~14784^2~26
X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=bedcc45c2e5d72b1c4b087b725c391441a93eee6;p=firefly-linux-kernel-4.4.55.git

tmio_mmc: Fix use after free in remove()

Update the tmio_mmc code to call mmc_free_host() when
done using the private data. Without this fix the driver
frees memory and then keeps on using it as private data.

Signed-off-by: Magnus Damm <damm@opensource.se>
Acked-by: Ian Molton <ian@mnementh.co.uk>
Signed-off-by: Pierre Ossman <drzeus@drzeus.cx>
---

diff --git a/drivers/mmc/host/tmio_mmc.c b/drivers/mmc/host/tmio_mmc.c
index 4f3e265d0203..63fbd5b7d312 100644
--- a/drivers/mmc/host/tmio_mmc.c
+++ b/drivers/mmc/host/tmio_mmc.c
@@ -650,10 +650,10 @@ static int __devexit tmio_mmc_remove(struct platform_device *dev)
 	if (mmc) {
 		struct tmio_mmc_host *host = mmc_priv(mmc);
 		mmc_remove_host(mmc);
-		mmc_free_host(mmc);
 		free_irq(host->irq, host);
 		iounmap(host->ctl);
 		iounmap(host->cnf);
+		mmc_free_host(mmc);
 	}
 
 	return 0;