summaryrefslogtreecommitdiff
path: root/drivers/media
diff options
context:
space:
mode:
authorFrank Schaefer <fschaefer.oss@googlemail.com>2012-12-22 17:13:38 +0400
committerMauro Carvalho Chehab <mchehab@redhat.com>2012-12-22 22:14:37 +0400
commit2f5741aa6a71aea6bc8f186e8753f270ae8742f1 (patch)
treeda9668f3a6886514347ad8c907c477ce4c9b3a5e /drivers/media
parent0dae88392395e228e67436cd08f084d395b39df5 (diff)
downloadlinux-2f5741aa6a71aea6bc8f186e8753f270ae8742f1.tar.xz
[media] em28xx: input: fix oops on device removal
When em28xx_ir_init() fails due to an configuration error, it frees the memory of struct em28xx_IR *ir, but doesn't set the corresponding pointer in the device struct to NULL. On device removal, em28xx_ir_fini() gets called, which then calls rc_unregister_device() with a pointer to freed memory. Fixes bug 26572 (http://bugzilla.kernel.org/show_bug.cgi?id=26572) Signed-off-by: Frank Schäfer <fschaefer.oss@googlemail.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
Diffstat (limited to 'drivers/media')
-rw-r--r--drivers/media/usb/em28xx/em28xx-input.c11
1 files changed, 5 insertions, 6 deletions
diff --git a/drivers/media/usb/em28xx/em28xx-input.c b/drivers/media/usb/em28xx/em28xx-input.c
index 3899ea823336..3598221378ac 100644
--- a/drivers/media/usb/em28xx/em28xx-input.c
+++ b/drivers/media/usb/em28xx/em28xx-input.c
@@ -600,7 +600,7 @@ static int em28xx_ir_init(struct em28xx *dev)
ir = kzalloc(sizeof(*ir), GFP_KERNEL);
rc = rc_allocate_device();
if (!ir || !rc)
- goto err_out_free;
+ goto error;
/* record handles to ourself */
ir->dev = dev;
@@ -629,14 +629,14 @@ static int em28xx_ir_init(struct em28xx *dev)
break;
default:
err = -ENODEV;
- goto err_out_free;
+ goto error;
}
/* By default, keep protocol field untouched */
rc_type = RC_BIT_UNKNOWN;
err = em28xx_ir_change_protocol(rc, &rc_type);
if (err)
- goto err_out_free;
+ goto error;
/* This is how often we ask the chip for IR information */
ir->polling = 100; /* ms */
@@ -661,7 +661,7 @@ static int em28xx_ir_init(struct em28xx *dev)
/* all done */
err = rc_register_device(rc);
if (err)
- goto err_out_stop;
+ goto error;
em28xx_register_i2c_ir(dev);
@@ -674,9 +674,8 @@ static int em28xx_ir_init(struct em28xx *dev)
return 0;
-err_out_stop:
+error:
dev->ir = NULL;
-err_out_free:
rc_free_device(rc);
kfree(ir);
return err;