1 files changed, 40 insertions, 0 deletions
diff --git a/0001-moxart-fix-potential-use-after-free-on-remove-path.patch b/0001-moxart-fix-potential-use-after-free-on-remove-path.patch
new file mode 100644
index 00000000000000..40b099df459821
--- /dev/null
+++ b/0001-moxart-fix-potential-use-after-free-on-remove-path.patch
@@ -0,0 +1,40 @@
+From b927353f1bc0ab6887727fb34145637998141123 Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Fri, 14 Jan 2022 08:50:22 +0100
+Subject: [PATCH] moxart: fix potential use-after-free on remove path
+
+It was reported that the mmc host structure could be accessed after it
+was freed in moxart_remove(), so fix this by saving the base register of
+the device and using it instead of the pointer dereference.
+
+Reported-by: whitehat002 <hackyzh002@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/moxart-mmc.c |    9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/drivers/mmc/host/moxart-mmc.c
++++ b/drivers/mmc/host/moxart-mmc.c
+@@ -697,6 +697,7 @@ static int moxart_remove(struct platform
+ {
+ 	struct mmc_host *mmc = dev_get_drvdata(&pdev->dev);
+ 	struct moxart_host *host = mmc_priv(mmc);
++	void __iomem *base = host->base;
+ 
+ 	dev_set_drvdata(&pdev->dev, NULL);
+ 
+@@ -707,10 +708,10 @@ static int moxart_remove(struct platform
+ 	mmc_remove_host(mmc);
+ 	mmc_free_host(mmc);
+ 
+-	writel(0, host->base + REG_INTERRUPT_MASK);
+-	writel(0, host->base + REG_POWER_CONTROL);
+-	writel(readl(host->base + REG_CLOCK_CONTROL) | CLK_OFF,
+-	       host->base + REG_CLOCK_CONTROL);
++	writel(0, base + REG_INTERRUPT_MASK);
++	writel(0, base + REG_POWER_CONTROL);
++	writel(readl(base + REG_CLOCK_CONTROL) | CLK_OFF,
++	       base + REG_CLOCK_CONTROL);
+ 
+ 	return 0;
+ }