Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Merge tag 'mmc-v7.0-rc1-3' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc

Pull MMC fixes from Ulf Hansson:

- vub300: Fix use-after-free and NULL-deref on disconnect

* tag 'mmc-v7.0-rc1-3' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc:
mmc: vub300: fix use-after-free on disconnect
mmc: vub300: fix NULL-deref on disconnect

+12 -7
+12 -7
drivers/mmc/host/vub300.c
··· 369 369 static void vub300_delete(struct kref *kref) 370 370 { /* kref callback - softirq */ 371 371 struct vub300_mmc_host *vub300 = kref_to_vub300_mmc_host(kref); 372 + struct mmc_host *mmc = vub300->mmc; 373 + 372 374 usb_free_urb(vub300->command_out_urb); 373 375 vub300->command_out_urb = NULL; 374 376 usb_free_urb(vub300->command_res_urb); 375 377 vub300->command_res_urb = NULL; 376 378 usb_put_dev(vub300->udev); 379 + mmc_free_host(mmc); 377 380 /* 378 381 * and hence also frees vub300 379 382 * which is contained at the end of struct mmc ··· 2115 2112 goto error1; 2116 2113 } 2117 2114 /* this also allocates memory for our VUB300 mmc host device */ 2118 - mmc = devm_mmc_alloc_host(&udev->dev, sizeof(*vub300)); 2115 + mmc = mmc_alloc_host(sizeof(*vub300), &udev->dev); 2119 2116 if (!mmc) { 2120 2117 retval = -ENOMEM; 2121 2118 dev_err(&udev->dev, "not enough memory for the mmc_host\n"); ··· 2272 2269 dev_err(&vub300->udev->dev, 2273 2270 "Could not find two sets of bulk-in/out endpoint pairs\n"); 2274 2271 retval = -EINVAL; 2275 - goto error4; 2272 + goto err_free_host; 2276 2273 } 2277 2274 retval = 2278 2275 usb_control_msg(vub300->udev, usb_rcvctrlpipe(vub300->udev, 0), ··· 2281 2278 0x0000, 0x0000, &vub300->hc_info, 2282 2279 sizeof(vub300->hc_info), 1000); 2283 2280 if (retval < 0) 2284 - goto error4; 2281 + goto err_free_host; 2285 2282 retval = 2286 2283 usb_control_msg(vub300->udev, usb_sndctrlpipe(vub300->udev, 0), 2287 2284 SET_ROM_WAIT_STATES, 2288 2285 USB_DIR_OUT | USB_TYPE_VENDOR | USB_RECIP_DEVICE, 2289 2286 firmware_rom_wait_states, 0x0000, NULL, 0, 1000); 2290 2287 if (retval < 0) 2291 - goto error4; 2288 + goto err_free_host; 2292 2289 dev_info(&vub300->udev->dev, 2293 2290 "operating_mode = %s %s %d MHz %s %d byte USB packets\n", 2294 2291 (mmc->caps & MMC_CAP_SDIO_IRQ) ? "IRQs" : "POLL", ··· 2303 2300 0x0000, 0x0000, &vub300->system_port_status, 2304 2301 sizeof(vub300->system_port_status), 1000); 2305 2302 if (retval < 0) { 2306 - goto error4; 2303 + goto err_free_host; 2307 2304 } else if (sizeof(vub300->system_port_status) == retval) { 2308 2305 vub300->card_present = 2309 2306 (0x0001 & vub300->system_port_status.port_flags) ? 1 : 0; ··· 2311 2308 (0x0010 & vub300->system_port_status.port_flags) ? 1 : 0; 2312 2309 } else { 2313 2310 retval = -EINVAL; 2314 - goto error4; 2311 + goto err_free_host; 2315 2312 } 2316 2313 usb_set_intfdata(interface, vub300); 2317 2314 INIT_DELAYED_WORK(&vub300->pollwork, vub300_pollwork_thread); ··· 2341 2338 return 0; 2342 2339 error6: 2343 2340 timer_delete_sync(&vub300->inactivity_timer); 2341 + err_free_host: 2342 + mmc_free_host(mmc); 2344 2343 /* 2345 2344 * and hence also frees vub300 2346 2345 * which is contained at the end of struct mmc ··· 2370 2365 usb_set_intfdata(interface, NULL); 2371 2366 /* prevent more I/O from starting */ 2372 2367 vub300->interface = NULL; 2373 - kref_put(&vub300->kref, vub300_delete); 2374 2368 mmc_remove_host(mmc); 2369 + kref_put(&vub300->kref, vub300_delete); 2375 2370 pr_info("USB vub300 remote SDIO host controller[%d]" 2376 2371 " now disconnected", ifnum); 2377 2372 return;