tmio_mmc: Fix use after free in remove() Update the tmio_mmc code to call mmc_free_host() when done using the private data. Without this fix the driver frees memory and then keeps on using it as private data. Signed-off-by: Magnus Damm <damm@opensource.se> Acked-by: Ian Molton <ian@mnementh.co.uk> Signed-off-by: Pierre Ossman <drzeus@drzeus.cx>

commit: bedcc45c2e5d72b1c4b087b725c391441a93eee6 [log] [tgz]
author: Magnus Damm <damm@opensource.se> Wed Mar 11 21:59:03 2009 +0900
committer: Pierre Ossman <drzeus@drzeus.cx> Tue Mar 24 21:30:03 2009 +0100
tree: 366a7472ebe65f9bba02d3599282022ca120ac72
parent: bc6772a023ceab8df404b18b31c27f764dcf5b3f [diff] [blame]
diff --git a/drivers/mmc/host/tmio_mmc.c b/drivers/mmc/host/tmio_mmc.c
index 4f3e265..63fbd5b 100644
--- a/drivers/mmc/host/tmio_mmc.c
+++ b/drivers/mmc/host/tmio_mmc.c

@@ -650,10 +650,10 @@
 	if (mmc) {
 		struct tmio_mmc_host *host = mmc_priv(mmc);
 		mmc_remove_host(mmc);
-		mmc_free_host(mmc);
 		free_irq(host->irq, host);
 		iounmap(host->ctl);
 		iounmap(host->cnf);
+		mmc_free_host(mmc);
 	}
 
 	return 0;
commit	bedcc45c2e5d72b1c4b087b725c391441a93eee6	[log] [tgz]
author	Magnus Damm <damm@opensource.se>	Wed Mar 11 21:59:03 2009 +0900
committer	Pierre Ossman <drzeus@drzeus.cx>	Tue Mar 24 21:30:03 2009 +0100
tree	366a7472ebe65f9bba02d3599282022ca120ac72
parent	bc6772a023ceab8df404b18b31c27f764dcf5b3f [diff] [blame]