tmio_mmc: Fix use after free in remove()

Update the tmio_mmc code to call mmc_free_host() when
done using the private data. Without this fix the driver
frees memory and then keeps on using it as private data.

Signed-off-by: Magnus Damm <damm@opensource.se>
Acked-by: Ian Molton <ian@mnementh.co.uk>
Signed-off-by: Pierre Ossman <drzeus@drzeus.cx>

diff --git a/drivers/mmc/host/tmio_mmc.c b/drivers/mmc/host/tmio_mmc.c
index 4f3e265d02035d39f3c3d19e8c725e4d1a6fe4a1..63fbd5b7d312b503e285a68a1895af709c134027 100644 (file)
--- a/drivers/mmc/host/tmio_mmc.c
+++ b/drivers/mmc/host/tmio_mmc.c
@@ -650,10 +650,10 @@ static int __devexit tmio_mmc_remove(struct platform_device *dev)
        if (mmc) {
                struct tmio_mmc_host *host = mmc_priv(mmc);
                mmc_remove_host(mmc);
-               mmc_free_host(mmc);
                free_irq(host->irq, host);
                iounmap(host->ctl);
                iounmap(host->cnf);
+               mmc_free_host(mmc);
        }
 
        return 0;