From: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> commit bd2db32e7c3e35bd4d9b8bbff689434a50893546 upstream. It was reported that the mmc host structure could be accessed after it was freed in moxart_remove(), so fix this by saving the base register of the device and using it instead of the pointer dereference. Cc: Ulf Hansson <ulf.hansson@xxxxxxxxxx> Cc: Xiyu Yang <xiyuyang19@xxxxxxxxxxxx> Cc: Xin Xiong <xiongx18@xxxxxxxxxxxx> Cc: Xin Tan <tanxin.ctf@xxxxxxxxx> Cc: Tony Lindgren <tony@xxxxxxxxxxx> Cc: Yang Li <yang.lee@xxxxxxxxxxxxxxxxx> Cc: linux-mmc@xxxxxxxxxxxxxxx Cc: stable <stable@xxxxxxxxxxxxxxx> Reported-by: whitehat002 <hackyzh002@xxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> Link: https://lore.kernel.org/r/20220127071638.4057899-1-gregkh@xxxxxxxxxxxxxxxxxxx Signed-off-by: Ulf Hansson <ulf.hansson@xxxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- drivers/mmc/host/moxart-mmc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/drivers/mmc/host/moxart-mmc.c +++ b/drivers/mmc/host/moxart-mmc.c @@ -696,12 +696,12 @@ static int moxart_remove(struct platform if (!IS_ERR(host->dma_chan_rx)) dma_release_channel(host->dma_chan_rx); mmc_remove_host(mmc); - mmc_free_host(mmc); writel(0, host->base + REG_INTERRUPT_MASK); writel(0, host->base + REG_POWER_CONTROL); writel(readl(host->base + REG_CLOCK_CONTROL) | CLK_OFF, host->base + REG_CLOCK_CONTROL); + mmc_free_host(mmc); } return 0; }
