From bedcc45c2e5d72b1c4b087b725c391441a93eee6 Mon Sep 17 00:00:00 2001 From: Magnus Damm Date: Wed, 11 Mar 2009 21:59:03 +0900 Subject: [PATCH] tmio_mmc: Fix use after free in remove() Update the tmio_mmc code to call mmc_free_host() when done using the private data. Without this fix the driver frees memory and then keeps on using it as private data. Signed-off-by: Magnus Damm Acked-by: Ian Molton Signed-off-by: Pierre Ossman --- drivers/mmc/host/tmio_mmc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/mmc/host/tmio_mmc.c b/drivers/mmc/host/tmio_mmc.c index 4f3e265d020..63fbd5b7d31 100644 --- a/drivers/mmc/host/tmio_mmc.c +++ b/drivers/mmc/host/tmio_mmc.c @@ -650,10 +650,10 @@ static int __devexit tmio_mmc_remove(struct platform_device *dev) if (mmc) { struct tmio_mmc_host *host = mmc_priv(mmc); mmc_remove_host(mmc); - mmc_free_host(mmc); free_irq(host->irq, host); iounmap(host->ctl); iounmap(host->cnf); + mmc_free_host(mmc); } return 0; -- 2.41.1