From patchwork Tue Oct 23 12:08:52 2012
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Guennadi Liakhovetski <g.liakhovetski@gmx.de>
X-Patchwork-Id: 1630181
Return-Path: <linux-mmc-owner@vger.kernel.org>
X-Original-To: patchwork-linux-mmc@patchwork.kernel.org
Delivered-To: patchwork-process-083081@patchwork1.kernel.org
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by patchwork1.kernel.org (Postfix) with ESMTP id A6C0040233
	for <patchwork-linux-mmc@patchwork.kernel.org>;
	Tue, 23 Oct 2012 12:08:58 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1753677Ab2JWMI5 (ORCPT
	<rfc822;patchwork-linux-mmc@patchwork.kernel.org>);
	Tue, 23 Oct 2012 08:08:57 -0400
Received: from moutng.kundenserver.de ([212.227.126.171]:63905 "EHLO
	moutng.kundenserver.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1752622Ab2JWMI4 (ORCPT
	<rfc822; linux-mmc@vger.kernel.org>); Tue, 23 Oct 2012 08:08:56 -0400
Received: from axis700.grange (dslb-178-006-255-175.pools.arcor-ip.net
	[178.6.255.175])
	by mrelayeu.kundenserver.de (node=mreu2) with ESMTP (Nemesis)
	id 0LqpCY-1SvALm32J8-00eWzl; Tue, 23 Oct 2012 14:08:53 +0200
Received: by axis700.grange (Postfix, from userid 1000)
	id 422C140BDC; Tue, 23 Oct 2012 14:08:52 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1])
	by axis700.grange (Postfix) with ESMTP id 3FA3440BDA;
	Tue, 23 Oct 2012 14:08:52 +0200 (CEST)
Date: Tue, 23 Oct 2012 14:08:52 +0200 (CEST)
From: Guennadi Liakhovetski <g.liakhovetski@gmx.de>
X-X-Sender: lyakh@axis700.grange
To: linux-mmc@vger.kernel.org
cc: linux-sh@vger.kernel.org, Chris Ball <cjb@laptop.org>
Subject: [PATCH] mmc: sh_mmcif: fix use after free
Message-ID: <Pine.LNX.4.64.1210231406080.13115@axis700.grange>
MIME-Version: 1.0
X-Provags-ID: V02:K0:O7yWkdSrS1WkqRn+V9jS6RxMlfZJZsxROv9UNVYlOTE
	iReNGYpIKqvYaXtROYOcqJE5kC15MA0v/LzNBdLvQz76/3Wfl+
	ln3A2WhHbwPwVy5nI2T7qrszmD5K1o0DlwmYw3tpQZ5FgPhN2q
	2I/Z1k/Ghoth5RLsaCY9Rz9M0DQRyfpWbR2eTTBOIHFrpt2oBK
	soCwNLxyyxQPfGhMoL0Fd6pMJ3wOWjWKb/LM9T5M4OCS5O91iu
	4LQ3VqvDZi/G6Q7yA2t2+OFGK9ORx36ktCgO3p/gnCNl4dQO0p
	bK6nKeopbHkLFD9Sb/OEiBFAIpiVN2K8+Bz9c8lcXgwfVhaR8N
	Da+Ae2S9tFqqz4ADHmsfr2/jWb88QJE4CQoVgq3DPsz086hmc1
	FjOcna+K3FhLw==
Sender: linux-mmc-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-mmc.vger.kernel.org>
X-Mailing-List: linux-mmc@vger.kernel.org

A recent commit "mmc: sh_mmcif: fix clock management" has introduced a use
after free bug in sh_mmcif.c: in sh_mmcif_remove() the call to
mmc_free_host() frees private driver data, therefore using it afterwards
is a bug. Revert that hunk.

Signed-off-by: Guennadi Liakhovetski <g.liakhovetski@gmx.de>
---

Chris, the offending patch appeared in 3.6, so, this has to go to 
3.6.stable, as well as to 3.7-rc.

 drivers/mmc/host/sh_mmcif.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/drivers/mmc/host/sh_mmcif.c b/drivers/mmc/host/sh_mmcif.c
index 11d2bc3..d25bc97 100644
--- a/drivers/mmc/host/sh_mmcif.c
+++ b/drivers/mmc/host/sh_mmcif.c
@@ -1466,9 +1466,9 @@ static int __devexit sh_mmcif_remove(struct platform_device *pdev)
 
 	platform_set_drvdata(pdev, NULL);
 
+	clk_disable(host->hclk);
 	mmc_free_host(host->mmc);
 	pm_runtime_put_sync(&pdev->dev);
-	clk_disable(host->hclk);
 	pm_runtime_disable(&pdev->dev);
 
 	return 0;