From: Yang Yingliang yangyingliang@huawei.com
stable inclusion from stable-v5.10.169 commit 0b3edcb24bd81b3b2e3dac89f4733bfd47d283be category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9R4N9 CVE: CVE-2023-52708
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=...
--------------------------------
commit cf4c9d2ac1e42c7d18b921bec39486896645b714 upstream.
If mmc_add_host() fails, it doesn't need to call mmc_remove_host(), or it will cause null-ptr-deref, because of deleting a not added device in mmc_remove_host().
To fix this, goto label 'fail_glue_init', if mmc_add_host() fails, and change the label 'fail_add_host' to 'fail_gpiod_request'.
Fixes: 15a0580ced08 ("mmc_spi host driver") Signed-off-by: Yang Yingliang yangyingliang@huawei.com Cc:stable@vger.kernel.org Link: https://lore.kernel.org/r/20230131013835.3564011-1-yangyingliang@huawei.com Signed-off-by: Ulf Hansson ulf.hansson@linaro.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org Signed-off-by: Wang Hai wanghai38@huawei.com Conflicts: drivers/mmc/host/mmc_spi.c [ Context conflict ] Signed-off-by: Li Nan linan122@huawei.com --- drivers/mmc/host/mmc_spi.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/mmc/host/mmc_spi.c b/drivers/mmc/host/mmc_spi.c index ea254d00541f..4fb61e87b9e3 100644 --- a/drivers/mmc/host/mmc_spi.c +++ b/drivers/mmc/host/mmc_spi.c @@ -1436,13 +1436,13 @@ static int mmc_spi_probe(struct spi_device *spi)
status = mmc_add_host(mmc); if (status != 0) - goto fail_add_host; + goto fail_glue_init;
if (host->pdata && host->pdata->flags & MMC_SPI_USE_CD_GPIO) { status = mmc_gpio_request_cd(mmc, host->pdata->cd_gpio, host->pdata->cd_debounce); if (status != 0) - goto fail_add_host; + goto fail_gpiod_request;
/* The platform has a CD GPIO signal that may support * interrupts, so let mmc_gpiod_request_cd_irq() decide @@ -1457,7 +1457,7 @@ static int mmc_spi_probe(struct spi_device *spi) has_ro = true; status = mmc_gpio_request_ro(mmc, host->pdata->ro_gpio); if (status != 0) - goto fail_add_host; + goto fail_gpiod_request; }
dev_info(&spi->dev, "SD/MMC host %s%s%s%s%s\n", @@ -1470,7 +1470,7 @@ static int mmc_spi_probe(struct spi_device *spi) ? ", cd polling" : ""); return 0;
-fail_add_host: +fail_gpiod_request: mmc_remove_host (mmc); fail_glue_init: if (host->dma_dev)