Linux Kernel OMAP HSMMC Controller MMC Host Addition Return Value Check Vulnerability

A vulnerability exists in the Linux kernel's handling of the OMAP HSMMC controller within the MMC subsystem. The issue arises because the function 'mmc_add_host()' can return an error, and if this return value is ignored, it leads to two significant problems. First, memory allocated by 'mmc_alloc_host()' is leaked. Second, during the device removal process, 'mmc_remove_host()' is called to delete a device that has not been added yet, resulting in a kernel crash due to a null pointer dereference in 'device_del()'. This vulnerability affects the Linux kernel stable tree.

Impact

Failure to properly check the return value of 'mmc_add_host()' can lead to memory leaks and kernel crashes due to null pointer dereferences.

Reproduction

The vulnerability can be reproduced by adding a new OMAP HSMMC controller without properly checking the return value of 'mmc_add_host()'. This can be done by modifying the driver's probe function to call 'mmc_add_host()' and then ignoring its return value. As a result, if 'mmc_add_host()' fails, the allocated memory will not be freed, and 'mmc_remove_host()' will attempt to remove a device that was never added, causing a kernel crash.

Remediation

The vulnerability has been addressed by modifying the OMAP HSMMC driver to check the return value of 'mmc_add_host()' before proceeding. Users should apply the latest patches available in the Linux kernel stable tree to mitigate this issue.