releases/4.14.183/mmc-block-fix-use-after-free-issue-for-rpmb.patch - pub/scm/linux/kernel/git/stable/stable-queue - Git at Google

 From db7703b7afdc0903c25ba5591f3a397e3f3ab038 Mon Sep 17 00:00:00 2001
 From: Sasha Levin <sashal@kernel.org>
 Date: Fri, 22 May 2020 09:29:25 +0000
 Subject: mmc: block: Fix use-after-free issue for rpmb
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit

 From: Peng Hao <richard.peng@oppo.com>

 [ Upstream commit 202500d21654874aa03243e91f96de153ec61860 ]

 The data structure member “rpmb->md” was passed to a call of the function
 “mmc_blk_put” after a call of the function “put_device”. Reorder these
 function calls to keep the data accesses consistent.

 Fixes: 1c87f7357849 ("mmc: block: Fix bug when removing RPMB chardev ")
 Signed-off-by: Peng Hao <richard.peng@oppo.com>
 Cc: stable@vger.kernel.org
 [Uffe: Fixed up mangled patch and updated commit message]
 Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
 Signed-off-by: Sasha Levin <sashal@kernel.org>
 ---
  drivers/mmc/core/block.c | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)

 diff --git a/drivers/mmc/core/block.c b/drivers/mmc/core/block.c
 index 916b88ee2de4..cbb72b460755 100644
 --- a/drivers/mmc/core/block.c
 +++ b/drivers/mmc/core/block.c
 @@ -2333,8 +2333,8 @@ static int mmc_rpmb_chrdev_release(struct inode *inode, struct file *filp)
  	struct mmc_rpmb_data *rpmb = container_of(inode->i_cdev,
  						  struct mmc_rpmb_data, chrdev);

 -	put_device(&rpmb->dev);
  	mmc_blk_put(rpmb->md);
 +	put_device(&rpmb->dev);

  	return 0;
  }
 --
 2.25.1
	From db7703b7afdc0903c25ba5591f3a397e3f3ab038 Mon Sep 17 00:00:00 2001
	From: Sasha Levin <sashal@kernel.org>
	Date: Fri, 22 May 2020 09:29:25 +0000
	Subject: mmc: block: Fix use-after-free issue for rpmb
	MIME-Version: 1.0
	Content-Type: text/plain; charset=UTF-8
	Content-Transfer-Encoding: 8bit

	From: Peng Hao <richard.peng@oppo.com>

	[ Upstream commit 202500d21654874aa03243e91f96de153ec61860 ]

	The data structure member “rpmb->md” was passed to a call of the function
	“mmc_blk_put” after a call of the function “put_device”. Reorder these
	function calls to keep the data accesses consistent.

	Fixes: 1c87f7357849 ("mmc: block: Fix bug when removing RPMB chardev ")
	Signed-off-by: Peng Hao <richard.peng@oppo.com>
	Cc: stable@vger.kernel.org
	[Uffe: Fixed up mangled patch and updated commit message]
	Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
	Signed-off-by: Sasha Levin <sashal@kernel.org>
	---
	drivers/mmc/core/block.c \| 2 +-
	1 file changed, 1 insertion(+), 1 deletion(-)

	diff --git a/drivers/mmc/core/block.c b/drivers/mmc/core/block.c
	index 916b88ee2de4..cbb72b460755 100644
	--- a/drivers/mmc/core/block.c
	+++ b/drivers/mmc/core/block.c
	@@ -2333,8 +2333,8 @@ static int mmc_rpmb_chrdev_release(struct inode inode, struct file filp)
	struct mmc_rpmb_data *rpmb = container_of(inode->i_cdev,
	struct mmc_rpmb_data, chrdev);

	- put_device(&rpmb->dev);
	mmc_blk_put(rpmb->md);
	+ put_device(&rpmb->dev);

	return 0;
	}
	--
	2.25.1