Hi whitehat002, SUSE currently does not build the moxart driver, let me defer you to security@xxxxxxxxxx and the MMC maintainers. i also opened a bug in our bugzilla just for tracking https://bugzilla.suse.com/show_bug.cgi?id=1194516 Ciao, Marcus On Tue, Jan 11, 2022 at 02:30:32PM +0800, whitehat002 whitehat002 wrote: > Hello suse security team, > > There is a UAF in drivers/mmc/host/moxart-mmc.c > This is similar with > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=42933c8aa14be1caa9eda41f65cde8a3a95d3e39 > > > > static int moxart_remove(struct platform_device *pdev) > { > struct mmc_host *mmc = dev_get_drvdata(&pdev->dev); > struct moxart_host *host = mmc_priv(mmc); > > dev_set_drvdata(&pdev->dev, NULL); > > if (!IS_ERR_OR_NULL(host->dma_chan_tx)) > dma_release_channel(host->dma_chan_tx); > if (!IS_ERR_OR_NULL(host->dma_chan_rx)) > dma_release_channel(host->dma_chan_rx); > mmc_remove_host(mmc); > mmc_free_host(mmc); //[0] free > > writel(0, host->base + REG_INTERRUPT_MASK); //[1] host is private data from > mmc_host UAF > writel(0, host->base + REG_POWER_CONTROL); > writel(readl(host->base + REG_CLOCK_CONTROL) | CLK_OFF, > host->base + REG_CLOCK_CONTROL); > > return 0; > } > > > > static inline void *mmc_priv(struct mmc_host *host) > { > return (void *)host->private; > } > > > Credit information > Zhihua Yao of KunLun Lab
