github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-05-12 16:18:45 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity

MMC host:

Browse Source 
- vub300: Fix use-after-free and NULL-deref on disconnect
 -----BEGIN PGP SIGNATURE-----
 
 iQJLBAABCgA1FiEEugLDXPmKSktSkQsV/iaEJXNYjCkFAmnXw0wXHHVsZi5oYW5z
 c29uQGxpbmFyby5vcmcACgkQ/iaEJXNYjCnuCA//enyP0ulyaQPHJtPDqJl7DesS
 njpCIQDyCHj9vE8XYUJi4KqxsIHi7H4S4aDe8h0uFv2YTZSIB6hXgU4/FHNTJB2G
 SQmvwFYq76wj90ubj9C5qssa8yPw01VVCDV6Y5nAueSWPQLwlPX8ZbLhi3mXihM+
 A6V0aqN8hExB92wkMH10+nDS2ueW41MIYe+P23t98oWP6T+rRkjpwdXM/P9etA3q
 y5RE+2YwM0XJRk5pBFF01qhLnOHW4V4+9z4d1nRd7ng2svK89NMMNMYXo6BhN13T
 bTNFYR3SsxQI8n278ciSEfR3OaBBIMg+8odh7NJamGsPWHiela0ZdaZ+TLJNKCpe
 UY/tfkzhe70opRCDGzMXFyQxZc5FFOFfe9we7gnIA1KFHUm0aig+UCi4GUjCZ4oJ
 AaNcDMa3m9yPRyYCOnlrr5dM1rFXBXLJlmFj9d8Vt/ritHMYDahlHkkZyH2mKjZY
 7/t070rYsAd8puIFSJyFKHojqy8GyArpIHOQaVoVP8GDXidqH/d6EHRDvx/meS36
 T4ezujQQISD3Q0ndXcmh2nThrLEmEAvyS6Vi/O31JEfI+epCvbLuaoKg7XhLuemf
 8RIA+ZZqZyzepM6lpT5tLs7ohzUW3ioYfXxCCgK7fIMhYgf1EtPEzfs+18HVAaJB
 ZHuHwpqICDjfEKczRng=
 =xsKQ
 -----END PGP SIGNATURE-----

Merge tag 'mmc-v7.0-rc1-3' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc

Pull MMC fixes from Ulf Hansson:

 - vub300: Fix use-after-free and NULL-deref on disconnect

* tag 'mmc-v7.0-rc1-3' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc:
  mmc: vub300: fix use-after-free on disconnect
  mmc: vub300: fix NULL-deref on disconnect
This commit is contained in:
Linus Torvalds 2026-04-09 11:13:15 -07:00
commit 4e1538b1f1
1 changed files with 12 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
drivers/mmc/host/vub300.c
View File

@ -369,11 +369,14 @@ struct vub300_mmc_host {
static void vub300_delete(struct kref *kref)
{ /* kref callback - softirq */
struct vub300_mmc_host *vub300 = kref_to_vub300_mmc_host(kref);
struct mmc_host *mmc = vub300->mmc;
usb_free_urb(vub300->command_out_urb);
vub300->command_out_urb = NULL;
usb_free_urb(vub300->command_res_urb);
vub300->command_res_urb = NULL;
usb_put_dev(vub300->udev);
mmc_free_host(mmc);
/*
* and hence also frees vub300
* which is contained at the end of struct mmc
@ -2112,7 +2115,7 @@ static int vub300_probe(struct usb_interface *interface,
goto error1;
}
/* this also allocates memory for our VUB300 mmc host device */
mmc = devm_mmc_alloc_host(&udev->dev, sizeof(*vub300));
mmc = mmc_alloc_host(sizeof(*vub300), &udev->dev);
if (!mmc) {
retval = -ENOMEM;
dev_err(&udev->dev, "not enough memory for the mmc_host\n");
@ -2269,7 +2272,7 @@ static int vub300_probe(struct usb_interface *interface,
dev_err(&vub300->udev->dev,
"Could not find two sets of bulk-in/out endpoint pairs\n");
retval = -EINVAL;
goto error4;
goto err_free_host;
}
retval =
usb_control_msg(vub300->udev, usb_rcvctrlpipe(vub300->udev, 0),
@ -2278,14 +2281,14 @@ static int vub300_probe(struct usb_interface *interface,
0x0000, 0x0000, &vub300->hc_info,
sizeof(vub300->hc_info), 1000);
if (retval < 0)
goto error4;
goto err_free_host;
retval =
usb_control_msg(vub300->udev, usb_sndctrlpipe(vub300->udev, 0),
SET_ROM_WAIT_STATES,
USB_DIR_OUT | USB_TYPE_VENDOR | USB_RECIP_DEVICE,
firmware_rom_wait_states, 0x0000, NULL, 0, 1000);
if (retval < 0)
goto error4;
goto err_free_host;
dev_info(&vub300->udev->dev,
"operating_mode = %s %s %d MHz %s %d byte USB packets\n",
(mmc->caps & MMC_CAP_SDIO_IRQ) ? "IRQs" : "POLL",
@ -2300,7 +2303,7 @@ static int vub300_probe(struct usb_interface *interface,
0x0000, 0x0000, &vub300->system_port_status,
sizeof(vub300->system_port_status), 1000);
if (retval < 0) {
goto error4;
goto err_free_host;
} else if (sizeof(vub300->system_port_status) == retval) {
vub300->card_present =
(0x0001 & vub300->system_port_status.port_flags) ? 1 : 0;
@ -2308,7 +2311,7 @@ static int vub300_probe(struct usb_interface *interface,
(0x0010 & vub300->system_port_status.port_flags) ? 1 : 0;
} else {
retval = -EINVAL;
goto error4;
goto err_free_host;
}
usb_set_intfdata(interface, vub300);
INIT_DELAYED_WORK(&vub300->pollwork, vub300_pollwork_thread);
@ -2338,6 +2341,8 @@ static int vub300_probe(struct usb_interface *interface,
return 0;
error6:
timer_delete_sync(&vub300->inactivity_timer);
err_free_host:
mmc_free_host(mmc);
/*
* and hence also frees vub300
* which is contained at the end of struct mmc
@ -2365,8 +2370,8 @@ static void vub300_disconnect(struct usb_interface *interface)
usb_set_intfdata(interface, NULL);
/* prevent more I/O from starting */
vub300->interface = NULL;
kref_put(&vub300->kref, vub300_delete);
mmc_remove_host(mmc);
kref_put(&vub300->kref, vub300_delete);
pr_info("USB vub300 remote SDIO host controller[%d]"
" now disconnected", ifnum);
return;