| Message ID | Pine.LNX.4.64.1210231406080.13115@axis700.grange (mailing list archive) |
|---|---|
| State | Superseded |
| Headers | show |
Hi Guennadi, On Tue, Oct 23 2012, Guennadi Liakhovetski wrote: > A recent commit "mmc: sh_mmcif: fix clock management" has introduced a use > after free bug in sh_mmcif.c: in sh_mmcif_remove() the call to > mmc_free_host() frees private driver data, therefore using it afterwards > is a bug. Revert that hunk. > > Signed-off-by: Guennadi Liakhovetski <g.liakhovetski@gmx.de> > --- > > Chris, the offending patch appeared in 3.6, so, this has to go to > 3.6.stable, as well as to 3.7-rc. > > drivers/mmc/host/sh_mmcif.c | 2 +- > 1 files changed, 1 insertions(+), 1 deletions(-) > > diff --git a/drivers/mmc/host/sh_mmcif.c b/drivers/mmc/host/sh_mmcif.c > index 11d2bc3..d25bc97 100644 > --- a/drivers/mmc/host/sh_mmcif.c > +++ b/drivers/mmc/host/sh_mmcif.c > @@ -1466,9 +1466,9 @@ static int __devexit sh_mmcif_remove(struct platform_device *pdev) > > platform_set_drvdata(pdev, NULL); > > + clk_disable(host->hclk); > mmc_free_host(host->mmc); > pm_runtime_put_sync(&pdev->dev); > - clk_disable(host->hclk); > pm_runtime_disable(&pdev->dev); > > return 0; Thanks, pushed to mmc-next for 3.7. In future, feel free to note the stable@ situation by adding: Cc: stable@vger.kernel.org [3.6] - Chris.
Hi Chris On Mon, 29 Oct 2012, Chris Ball wrote: > Hi Guennadi, > > On Tue, Oct 23 2012, Guennadi Liakhovetski wrote: > > A recent commit "mmc: sh_mmcif: fix clock management" has introduced a use > > after free bug in sh_mmcif.c: in sh_mmcif_remove() the call to > > mmc_free_host() frees private driver data, therefore using it afterwards > > is a bug. Revert that hunk. > > > > Signed-off-by: Guennadi Liakhovetski <g.liakhovetski@gmx.de> > > --- > > > > Chris, the offending patch appeared in 3.6, so, this has to go to > > 3.6.stable, as well as to 3.7-rc. > > > > drivers/mmc/host/sh_mmcif.c | 2 +- > > 1 files changed, 1 insertions(+), 1 deletions(-) > > > > diff --git a/drivers/mmc/host/sh_mmcif.c b/drivers/mmc/host/sh_mmcif.c > > index 11d2bc3..d25bc97 100644 > > --- a/drivers/mmc/host/sh_mmcif.c > > +++ b/drivers/mmc/host/sh_mmcif.c > > @@ -1466,9 +1466,9 @@ static int __devexit sh_mmcif_remove(struct platform_device *pdev) > > > > platform_set_drvdata(pdev, NULL); > > > > + clk_disable(host->hclk); > > mmc_free_host(host->mmc); > > pm_runtime_put_sync(&pdev->dev); > > - clk_disable(host->hclk); > > pm_runtime_disable(&pdev->dev); > > > > return 0; > > Thanks, pushed to mmc-next for 3.7. Thanks! > In future, feel free to note the > stable@ situation by adding: > > Cc: stable@vger.kernel.org [3.6] Hm, a bit confused. I seem to remember, that one of subsystem maintainers, to whom I also submitted a patch, that should also have been forwarded to stable, told me, that adding this "Cc: stable@..." tag was a task of subsystem maintainers, in that case his task, and not of individual submitters, which might only indicate their opinion in this respect. Am I wrong? Thanks Guennadi --- Guennadi Liakhovetski, Ph.D. Freelance Open-Source Software Developer http://www.open-technology.de/ -- To unsubscribe from this list: send the line "unsubscribe linux-sh" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Hi Guennadi, On Tue, Oct 30 2012, Guennadi Liakhovetski wrote: >> In future, feel free to note the >> stable@ situation by adding: >> >> Cc: stable@vger.kernel.org [3.6] > > Hm, a bit confused. I seem to remember, that one of subsystem maintainers, > to whom I also submitted a patch, that should also have been forwarded to > stable, told me, that adding this "Cc: stable@..." tag was a task of > subsystem maintainers, in that case his task, and not of individual > submitters, which might only indicate their opinion in this respect. Am I > wrong? Oh, interesting; I haven't seen that complaint myself. I don't think there's a kernel-wide rule about this, but I might be wrong. Personally, I'm happy with receiving the stable@ tag because I like it when patch authors think about -stable and I want to encourage them to do so. (Often they know whether a patch is needed in -stable better than I do.) Of course, the stable@ team isn't going to do anything until the patch enters mainline, and the patch is only going to enter mainline through my tree after I've had a chance to change the stable@ tag if necessary, so there's no problem for me there. Sorry to leave you in the middle of conflicting advice. :-) The stable@ hint is appreciated in either form; I was just trying to save you some typing. Thanks! - Chris.
diff --git a/drivers/mmc/host/sh_mmcif.c b/drivers/mmc/host/sh_mmcif.c index 11d2bc3..d25bc97 100644 --- a/drivers/mmc/host/sh_mmcif.c +++ b/drivers/mmc/host/sh_mmcif.c @@ -1466,9 +1466,9 @@ static int __devexit sh_mmcif_remove(struct platform_device *pdev) platform_set_drvdata(pdev, NULL); + clk_disable(host->hclk); mmc_free_host(host->mmc); pm_runtime_put_sync(&pdev->dev); - clk_disable(host->hclk); pm_runtime_disable(&pdev->dev); return 0;
A recent commit "mmc: sh_mmcif: fix clock management" has introduced a use after free bug in sh_mmcif.c: in sh_mmcif_remove() the call to mmc_free_host() frees private driver data, therefore using it afterwards is a bug. Revert that hunk. Signed-off-by: Guennadi Liakhovetski <g.liakhovetski@gmx.de> --- Chris, the offending patch appeared in 3.6, so, this has to go to 3.6.stable, as well as to 3.7-rc. drivers/mmc/host/sh_mmcif.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)