* [PATCH] mmc: sh_mmcif: fix use after free
@ 2012-10-23 12:08 ` Guennadi Liakhovetski
0 siblings, 0 replies; 8+ messages in thread
From: Guennadi Liakhovetski @ 2012-10-23 12:08 UTC (permalink / raw)
To: linux-mmc; +Cc: linux-sh, Chris Ball
A recent commit "mmc: sh_mmcif: fix clock management" has introduced a use
after free bug in sh_mmcif.c: in sh_mmcif_remove() the call to
mmc_free_host() frees private driver data, therefore using it afterwards
is a bug. Revert that hunk.
Signed-off-by: Guennadi Liakhovetski <g.liakhovetski@gmx.de>
---
Chris, the offending patch appeared in 3.6, so, this has to go to
3.6.stable, as well as to 3.7-rc.
drivers/mmc/host/sh_mmcif.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/drivers/mmc/host/sh_mmcif.c b/drivers/mmc/host/sh_mmcif.c
index 11d2bc3..d25bc97 100644
--- a/drivers/mmc/host/sh_mmcif.c
+++ b/drivers/mmc/host/sh_mmcif.c
@@ -1466,9 +1466,9 @@ static int __devexit sh_mmcif_remove(struct platform_device *pdev)
platform_set_drvdata(pdev, NULL);
+ clk_disable(host->hclk);
mmc_free_host(host->mmc);
pm_runtime_put_sync(&pdev->dev);
- clk_disable(host->hclk);
pm_runtime_disable(&pdev->dev);
return 0;
--
1.7.2.5
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [PATCH] mmc: sh_mmcif: fix use after free
@ 2012-10-23 12:08 ` Guennadi Liakhovetski
0 siblings, 0 replies; 8+ messages in thread
From: Guennadi Liakhovetski @ 2012-10-23 12:08 UTC (permalink / raw)
To: linux-mmc; +Cc: linux-sh, Chris Ball
A recent commit "mmc: sh_mmcif: fix clock management" has introduced a use
after free bug in sh_mmcif.c: in sh_mmcif_remove() the call to
mmc_free_host() frees private driver data, therefore using it afterwards
is a bug. Revert that hunk.
Signed-off-by: Guennadi Liakhovetski <g.liakhovetski@gmx.de>
---
Chris, the offending patch appeared in 3.6, so, this has to go to
3.6.stable, as well as to 3.7-rc.
drivers/mmc/host/sh_mmcif.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/drivers/mmc/host/sh_mmcif.c b/drivers/mmc/host/sh_mmcif.c
index 11d2bc3..d25bc97 100644
--- a/drivers/mmc/host/sh_mmcif.c
+++ b/drivers/mmc/host/sh_mmcif.c
@@ -1466,9 +1466,9 @@ static int __devexit sh_mmcif_remove(struct platform_device *pdev)
platform_set_drvdata(pdev, NULL);
+ clk_disable(host->hclk);
mmc_free_host(host->mmc);
pm_runtime_put_sync(&pdev->dev);
- clk_disable(host->hclk);
pm_runtime_disable(&pdev->dev);
return 0;
--
1.7.2.5
^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [PATCH] mmc: sh_mmcif: fix use after free
2012-10-23 12:08 ` Guennadi Liakhovetski
@ 2012-10-29 21:23 ` Chris Ball
-1 siblings, 0 replies; 8+ messages in thread
From: Chris Ball @ 2012-10-29 21:23 UTC (permalink / raw)
To: Guennadi Liakhovetski; +Cc: linux-mmc, linux-sh
Hi Guennadi,
On Tue, Oct 23 2012, Guennadi Liakhovetski wrote:
> A recent commit "mmc: sh_mmcif: fix clock management" has introduced a use
> after free bug in sh_mmcif.c: in sh_mmcif_remove() the call to
> mmc_free_host() frees private driver data, therefore using it afterwards
> is a bug. Revert that hunk.
>
> Signed-off-by: Guennadi Liakhovetski <g.liakhovetski@gmx.de>
> ---
>
> Chris, the offending patch appeared in 3.6, so, this has to go to
> 3.6.stable, as well as to 3.7-rc.
>
> drivers/mmc/host/sh_mmcif.c | 2 +-
> 1 files changed, 1 insertions(+), 1 deletions(-)
>
> diff --git a/drivers/mmc/host/sh_mmcif.c b/drivers/mmc/host/sh_mmcif.c
> index 11d2bc3..d25bc97 100644
> --- a/drivers/mmc/host/sh_mmcif.c
> +++ b/drivers/mmc/host/sh_mmcif.c
> @@ -1466,9 +1466,9 @@ static int __devexit sh_mmcif_remove(struct platform_device *pdev)
>
> platform_set_drvdata(pdev, NULL);
>
> + clk_disable(host->hclk);
> mmc_free_host(host->mmc);
> pm_runtime_put_sync(&pdev->dev);
> - clk_disable(host->hclk);
> pm_runtime_disable(&pdev->dev);
>
> return 0;
Thanks, pushed to mmc-next for 3.7. In future, feel free to note the
stable@ situation by adding:
Cc: stable@vger.kernel.org [3.6]
- Chris.
--
Chris Ball <cjb@laptop.org> <http://printf.net/>
One Laptop Per Child
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH] mmc: sh_mmcif: fix use after free
@ 2012-10-29 21:23 ` Chris Ball
0 siblings, 0 replies; 8+ messages in thread
From: Chris Ball @ 2012-10-29 21:23 UTC (permalink / raw)
To: Guennadi Liakhovetski; +Cc: linux-mmc, linux-sh
Hi Guennadi,
On Tue, Oct 23 2012, Guennadi Liakhovetski wrote:
> A recent commit "mmc: sh_mmcif: fix clock management" has introduced a use
> after free bug in sh_mmcif.c: in sh_mmcif_remove() the call to
> mmc_free_host() frees private driver data, therefore using it afterwards
> is a bug. Revert that hunk.
>
> Signed-off-by: Guennadi Liakhovetski <g.liakhovetski@gmx.de>
> ---
>
> Chris, the offending patch appeared in 3.6, so, this has to go to
> 3.6.stable, as well as to 3.7-rc.
>
> drivers/mmc/host/sh_mmcif.c | 2 +-
> 1 files changed, 1 insertions(+), 1 deletions(-)
>
> diff --git a/drivers/mmc/host/sh_mmcif.c b/drivers/mmc/host/sh_mmcif.c
> index 11d2bc3..d25bc97 100644
> --- a/drivers/mmc/host/sh_mmcif.c
> +++ b/drivers/mmc/host/sh_mmcif.c
> @@ -1466,9 +1466,9 @@ static int __devexit sh_mmcif_remove(struct platform_device *pdev)
>
> platform_set_drvdata(pdev, NULL);
>
> + clk_disable(host->hclk);
> mmc_free_host(host->mmc);
> pm_runtime_put_sync(&pdev->dev);
> - clk_disable(host->hclk);
> pm_runtime_disable(&pdev->dev);
>
> return 0;
Thanks, pushed to mmc-next for 3.7. In future, feel free to note the
stable@ situation by adding:
Cc: stable@vger.kernel.org [3.6]
- Chris.
--
Chris Ball <cjb@laptop.org> <http://printf.net/>
One Laptop Per Child
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH] mmc: sh_mmcif: fix use after free
2012-10-29 21:23 ` Chris Ball
@ 2012-10-30 22:08 ` Guennadi Liakhovetski
-1 siblings, 0 replies; 8+ messages in thread
From: Guennadi Liakhovetski @ 2012-10-30 22:08 UTC (permalink / raw)
To: Chris Ball; +Cc: linux-mmc, linux-sh
Hi Chris
On Mon, 29 Oct 2012, Chris Ball wrote:
> Hi Guennadi,
>
> On Tue, Oct 23 2012, Guennadi Liakhovetski wrote:
> > A recent commit "mmc: sh_mmcif: fix clock management" has introduced a use
> > after free bug in sh_mmcif.c: in sh_mmcif_remove() the call to
> > mmc_free_host() frees private driver data, therefore using it afterwards
> > is a bug. Revert that hunk.
> >
> > Signed-off-by: Guennadi Liakhovetski <g.liakhovetski@gmx.de>
> > ---
> >
> > Chris, the offending patch appeared in 3.6, so, this has to go to
> > 3.6.stable, as well as to 3.7-rc.
> >
> > drivers/mmc/host/sh_mmcif.c | 2 +-
> > 1 files changed, 1 insertions(+), 1 deletions(-)
> >
> > diff --git a/drivers/mmc/host/sh_mmcif.c b/drivers/mmc/host/sh_mmcif.c
> > index 11d2bc3..d25bc97 100644
> > --- a/drivers/mmc/host/sh_mmcif.c
> > +++ b/drivers/mmc/host/sh_mmcif.c
> > @@ -1466,9 +1466,9 @@ static int __devexit sh_mmcif_remove(struct platform_device *pdev)
> >
> > platform_set_drvdata(pdev, NULL);
> >
> > + clk_disable(host->hclk);
> > mmc_free_host(host->mmc);
> > pm_runtime_put_sync(&pdev->dev);
> > - clk_disable(host->hclk);
> > pm_runtime_disable(&pdev->dev);
> >
> > return 0;
>
> Thanks, pushed to mmc-next for 3.7.
Thanks!
> In future, feel free to note the
> stable@ situation by adding:
>
> Cc: stable@vger.kernel.org [3.6]
Hm, a bit confused. I seem to remember, that one of subsystem maintainers,
to whom I also submitted a patch, that should also have been forwarded to
stable, told me, that adding this "Cc: stable@..." tag was a task of
subsystem maintainers, in that case his task, and not of individual
submitters, which might only indicate their opinion in this respect. Am I
wrong?
Thanks
Guennadi
---
Guennadi Liakhovetski, Ph.D.
Freelance Open-Source Software Developer
http://www.open-technology.de/
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH] mmc: sh_mmcif: fix use after free
@ 2012-10-30 22:08 ` Guennadi Liakhovetski
0 siblings, 0 replies; 8+ messages in thread
From: Guennadi Liakhovetski @ 2012-10-30 22:08 UTC (permalink / raw)
To: Chris Ball; +Cc: linux-mmc, linux-sh
Hi Chris
On Mon, 29 Oct 2012, Chris Ball wrote:
> Hi Guennadi,
>
> On Tue, Oct 23 2012, Guennadi Liakhovetski wrote:
> > A recent commit "mmc: sh_mmcif: fix clock management" has introduced a use
> > after free bug in sh_mmcif.c: in sh_mmcif_remove() the call to
> > mmc_free_host() frees private driver data, therefore using it afterwards
> > is a bug. Revert that hunk.
> >
> > Signed-off-by: Guennadi Liakhovetski <g.liakhovetski@gmx.de>
> > ---
> >
> > Chris, the offending patch appeared in 3.6, so, this has to go to
> > 3.6.stable, as well as to 3.7-rc.
> >
> > drivers/mmc/host/sh_mmcif.c | 2 +-
> > 1 files changed, 1 insertions(+), 1 deletions(-)
> >
> > diff --git a/drivers/mmc/host/sh_mmcif.c b/drivers/mmc/host/sh_mmcif.c
> > index 11d2bc3..d25bc97 100644
> > --- a/drivers/mmc/host/sh_mmcif.c
> > +++ b/drivers/mmc/host/sh_mmcif.c
> > @@ -1466,9 +1466,9 @@ static int __devexit sh_mmcif_remove(struct platform_device *pdev)
> >
> > platform_set_drvdata(pdev, NULL);
> >
> > + clk_disable(host->hclk);
> > mmc_free_host(host->mmc);
> > pm_runtime_put_sync(&pdev->dev);
> > - clk_disable(host->hclk);
> > pm_runtime_disable(&pdev->dev);
> >
> > return 0;
>
> Thanks, pushed to mmc-next for 3.7.
Thanks!
> In future, feel free to note the
> stable@ situation by adding:
>
> Cc: stable@vger.kernel.org [3.6]
Hm, a bit confused. I seem to remember, that one of subsystem maintainers,
to whom I also submitted a patch, that should also have been forwarded to
stable, told me, that adding this "Cc: stable@..." tag was a task of
subsystem maintainers, in that case his task, and not of individual
submitters, which might only indicate their opinion in this respect. Am I
wrong?
Thanks
Guennadi
---
Guennadi Liakhovetski, Ph.D.
Freelance Open-Source Software Developer
http://www.open-technology.de/
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH] mmc: sh_mmcif: fix use after free
2012-10-30 22:08 ` Guennadi Liakhovetski
@ 2012-10-30 22:37 ` Chris Ball
-1 siblings, 0 replies; 8+ messages in thread
From: Chris Ball @ 2012-10-30 22:37 UTC (permalink / raw)
To: Guennadi Liakhovetski; +Cc: linux-mmc, linux-sh
Hi Guennadi,
On Tue, Oct 30 2012, Guennadi Liakhovetski wrote:
>> In future, feel free to note the
>> stable@ situation by adding:
>>
>> Cc: stable@vger.kernel.org [3.6]
>
> Hm, a bit confused. I seem to remember, that one of subsystem maintainers,
> to whom I also submitted a patch, that should also have been forwarded to
> stable, told me, that adding this "Cc: stable@..." tag was a task of
> subsystem maintainers, in that case his task, and not of individual
> submitters, which might only indicate their opinion in this respect. Am I
> wrong?
Oh, interesting; I haven't seen that complaint myself. I don't think
there's a kernel-wide rule about this, but I might be wrong.
Personally, I'm happy with receiving the stable@ tag because I like it
when patch authors think about -stable and I want to encourage them to
do so. (Often they know whether a patch is needed in -stable better
than I do.)
Of course, the stable@ team isn't going to do anything until the patch
enters mainline, and the patch is only going to enter mainline through
my tree after I've had a chance to change the stable@ tag if necessary,
so there's no problem for me there.
Sorry to leave you in the middle of conflicting advice. :-) The stable@
hint is appreciated in either form; I was just trying to save you some
typing.
Thanks!
- Chris.
--
Chris Ball <cjb@laptop.org> <http://printf.net/>
One Laptop Per Child
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH] mmc: sh_mmcif: fix use after free
@ 2012-10-30 22:37 ` Chris Ball
0 siblings, 0 replies; 8+ messages in thread
From: Chris Ball @ 2012-10-30 22:37 UTC (permalink / raw)
To: Guennadi Liakhovetski; +Cc: linux-mmc, linux-sh
Hi Guennadi,
On Tue, Oct 30 2012, Guennadi Liakhovetski wrote:
>> In future, feel free to note the
>> stable@ situation by adding:
>>
>> Cc: stable@vger.kernel.org [3.6]
>
> Hm, a bit confused. I seem to remember, that one of subsystem maintainers,
> to whom I also submitted a patch, that should also have been forwarded to
> stable, told me, that adding this "Cc: stable@..." tag was a task of
> subsystem maintainers, in that case his task, and not of individual
> submitters, which might only indicate their opinion in this respect. Am I
> wrong?
Oh, interesting; I haven't seen that complaint myself. I don't think
there's a kernel-wide rule about this, but I might be wrong.
Personally, I'm happy with receiving the stable@ tag because I like it
when patch authors think about -stable and I want to encourage them to
do so. (Often they know whether a patch is needed in -stable better
than I do.)
Of course, the stable@ team isn't going to do anything until the patch
enters mainline, and the patch is only going to enter mainline through
my tree after I've had a chance to change the stable@ tag if necessary,
so there's no problem for me there.
Sorry to leave you in the middle of conflicting advice. :-) The stable@
hint is appreciated in either form; I was just trying to save you some
typing.
Thanks!
- Chris.
--
Chris Ball <cjb@laptop.org> <http://printf.net/>
One Laptop Per Child
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2012-10-30 22:37 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2012-10-23 12:08 [PATCH] mmc: sh_mmcif: fix use after free Guennadi Liakhovetski
2012-10-23 12:08 ` Guennadi Liakhovetski
2012-10-29 21:23 ` Chris Ball
2012-10-29 21:23 ` Chris Ball
2012-10-30 22:08 ` Guennadi Liakhovetski
2012-10-30 22:08 ` Guennadi Liakhovetski
2012-10-30 22:37 ` Chris Ball
2012-10-30 22:37 ` Chris Ball
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.