[media] em28xx: input: fix oops on device removal
When em28xx_ir_init() fails due to an configuration error, it frees the memory of struct em28xx_IR *ir, but doesn't set the corresponding pointer in the device struct to NULL. On device removal, em28xx_ir_fini() gets called, which then calls rc_unregister_device() with a pointer to freed memory. Fixes bug 26572 (http://bugzilla.kernel.org/show_bug.cgi?id=26572) Signed-off-by: Frank Schäfer <fschaefer.oss@googlemail.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
This commit is contained in:
parent
0dae883923
commit
2f5741aa6a
@ -600,7 +600,7 @@ static int em28xx_ir_init(struct em28xx *dev)
|
||||
ir = kzalloc(sizeof(*ir), GFP_KERNEL);
|
||||
rc = rc_allocate_device();
|
||||
if (!ir || !rc)
|
||||
goto err_out_free;
|
||||
goto error;
|
||||
|
||||
/* record handles to ourself */
|
||||
ir->dev = dev;
|
||||
@ -629,14 +629,14 @@ static int em28xx_ir_init(struct em28xx *dev)
|
||||
break;
|
||||
default:
|
||||
err = -ENODEV;
|
||||
goto err_out_free;
|
||||
goto error;
|
||||
}
|
||||
|
||||
/* By default, keep protocol field untouched */
|
||||
rc_type = RC_BIT_UNKNOWN;
|
||||
err = em28xx_ir_change_protocol(rc, &rc_type);
|
||||
if (err)
|
||||
goto err_out_free;
|
||||
goto error;
|
||||
|
||||
/* This is how often we ask the chip for IR information */
|
||||
ir->polling = 100; /* ms */
|
||||
@ -661,7 +661,7 @@ static int em28xx_ir_init(struct em28xx *dev)
|
||||
/* all done */
|
||||
err = rc_register_device(rc);
|
||||
if (err)
|
||||
goto err_out_stop;
|
||||
goto error;
|
||||
|
||||
em28xx_register_i2c_ir(dev);
|
||||
|
||||
@ -674,9 +674,8 @@ static int em28xx_ir_init(struct em28xx *dev)
|
||||
|
||||
return 0;
|
||||
|
||||
err_out_stop:
|
||||
error:
|
||||
dev->ir = NULL;
|
||||
err_out_free:
|
||||
rc_free_device(rc);
|
||||
kfree(ir);
|
||||
return err;
|
||||
|
Loading…
Reference in New Issue
Block a user