diff options
author | Frank Schaefer <fschaefer.oss@googlemail.com> | 2012-12-22 17:13:38 +0400 |
---|---|---|
committer | Mauro Carvalho Chehab <mchehab@redhat.com> | 2012-12-22 22:14:37 +0400 |
commit | 2f5741aa6a71aea6bc8f186e8753f270ae8742f1 (patch) | |
tree | da9668f3a6886514347ad8c907c477ce4c9b3a5e /drivers/media/usb/em28xx/em28xx-input.c | |
parent | 0dae88392395e228e67436cd08f084d395b39df5 (diff) | |
download | linux-2f5741aa6a71aea6bc8f186e8753f270ae8742f1.tar.xz |
[media] em28xx: input: fix oops on device removal
When em28xx_ir_init() fails due to an configuration error, it frees the memory
of struct em28xx_IR *ir, but doesn't set the corresponding pointer in the
device struct to NULL.
On device removal, em28xx_ir_fini() gets called, which then calls
rc_unregister_device() with a pointer to freed memory.
Fixes bug 26572 (http://bugzilla.kernel.org/show_bug.cgi?id=26572)
Signed-off-by: Frank Schäfer <fschaefer.oss@googlemail.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
Diffstat (limited to 'drivers/media/usb/em28xx/em28xx-input.c')
-rw-r--r-- | drivers/media/usb/em28xx/em28xx-input.c | 11 |
1 files changed, 5 insertions, 6 deletions
diff --git a/drivers/media/usb/em28xx/em28xx-input.c b/drivers/media/usb/em28xx/em28xx-input.c index 3899ea823336..3598221378ac 100644 --- a/drivers/media/usb/em28xx/em28xx-input.c +++ b/drivers/media/usb/em28xx/em28xx-input.c @@ -600,7 +600,7 @@ static int em28xx_ir_init(struct em28xx *dev) ir = kzalloc(sizeof(*ir), GFP_KERNEL); rc = rc_allocate_device(); if (!ir || !rc) - goto err_out_free; + goto error; /* record handles to ourself */ ir->dev = dev; @@ -629,14 +629,14 @@ static int em28xx_ir_init(struct em28xx *dev) break; default: err = -ENODEV; - goto err_out_free; + goto error; } /* By default, keep protocol field untouched */ rc_type = RC_BIT_UNKNOWN; err = em28xx_ir_change_protocol(rc, &rc_type); if (err) - goto err_out_free; + goto error; /* This is how often we ask the chip for IR information */ ir->polling = 100; /* ms */ @@ -661,7 +661,7 @@ static int em28xx_ir_init(struct em28xx *dev) /* all done */ err = rc_register_device(rc); if (err) - goto err_out_stop; + goto error; em28xx_register_i2c_ir(dev); @@ -674,9 +674,8 @@ static int em28xx_ir_init(struct em28xx *dev) return 0; -err_out_stop: +error: dev->ir = NULL; -err_out_free: rc_free_device(rc); kfree(ir); return err; |