Re: [PATCH 02/05] tmio_mmc: Fix use after free in remove()

From: Ian Molton
Date: Wed Mar 11 2009 - 10:28:31 EST

Next message: Alan D. Brunelle: "Re: PROBLEM: kernel BUG at mm/slab.c:3002!"
Previous message: Ian Molton: "Re: [PATCH 05/05] tmio_mmc: Support multiple interrupts"
In reply to: Magnus Damm: "[PATCH 02/05] tmio_mmc: Fix use after free in remove()"
Next in thread: Magnus Damm: "[PATCH 03/05] tmio_mmc: Break out cnf area operations"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Magnus Damm wrote:

From: Magnus Damm <damm@xxxxxxxxxxxxx>

Update the tmio_mmc code to call mmc_free_host() when
done using the private data. Without this fix the driver
frees memory and then keeps on using it as private data.

Signed-off-by: Magnus Damm <damm@xxxxxxxxxxxxx>

Acked-by: Ian Molton <ian@xxxxxxxxxxxxxx>

---

drivers/mmc/host/tmio_mmc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--- 0010/drivers/mmc/host/tmio_mmc.c
+++ work/drivers/mmc/host/tmio_mmc.c 2009-03-11 19:24:03.000000000 +0900
@@ -650,10 +650,10 @@ static int __devexit tmio_mmc_remove(str
if (mmc) {
struct tmio_mmc_host *host = mmc_priv(mmc);
mmc_remove_host(mmc);
- mmc_free_host(mmc);
free_irq(host->irq, host);
iounmap(host->ctl);
iounmap(host->cnf);
+ mmc_free_host(mmc);
}
return 0;

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Alan D. Brunelle: "Re: PROBLEM: kernel BUG at mm/slab.c:3002!"
Previous message: Ian Molton: "Re: [PATCH 05/05] tmio_mmc: Support multiple interrupts"
In reply to: Magnus Damm: "[PATCH 02/05] tmio_mmc: Fix use after free in remove()"
Next in thread: Magnus Damm: "[PATCH 03/05] tmio_mmc: Break out cnf area operations"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]