Re: [PATCH] mmc: moxart: fix potential use-after-free on remove path.
From: Ulf Hansson
Date: Wed Mar 04 2026 - 11:26:35 EST
On Mon, 23 Feb 2026 at 14:48, Greg Kroah-Hartman
<gregkh@xxxxxxxxxxxxxxxxxxx> wrote:
>
> Just like in commit bd2db32e7c3e ("moxart: fix potential use-after-free
> on remove path"), we should wait until after we are finished writing to
> the mmc host device before removing it, otherwise it could have been
> already freed.
mmc_remove_host() doesn't actually free the host, but it reverses what
mmc_add_host() did during probe.
Since the moxart driver uses devm_mmc_alloc_host() the last reference
to the host will be dropped after ->remove() completes, leading to
mmc_free_host() to be called for it.
However, improvements can still be made in the ->remove() callback. See below.
>
> Cc: Ulf Hansson <ulf.hansson@xxxxxxxxxx>
> Cc: stable <stable@xxxxxxxxxx>
> Assisted-by: gkh_clanker_2000
What's this?
> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
> ---
> drivers/mmc/host/moxart-mmc.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/mmc/host/moxart-mmc.c b/drivers/mmc/host/moxart-mmc.c
> index 3dd8f232052f..256e16390ef3 100644
> --- a/drivers/mmc/host/moxart-mmc.c
> +++ b/drivers/mmc/host/moxart-mmc.c
> @@ -690,12 +690,12 @@ static void moxart_remove(struct platform_device *pdev)
> dma_release_channel(host->dma_chan_tx);
> if (!IS_ERR_OR_NULL(host->dma_chan_rx))
> dma_release_channel(host->dma_chan_rx);
> - mmc_remove_host(mmc);
>
> writel(0, host->base + REG_INTERRUPT_MASK);
> writel(0, host->base + REG_POWER_CONTROL);
> writel(readl(host->base + REG_CLOCK_CONTROL) | CLK_OFF,
> host->base + REG_CLOCK_CONTROL);
> + mmc_remove_host(mmc);
Rather than moving this to the bottom of the function, it would be
more correct to move it to the beginning.
This way, we ensure things have been closed down properly before
releasing the dma channels.
> }
>
> static const struct of_device_id moxart_mmc_match[] = {
> --
> 2.53.0
>
Kind regards
Uffe