[media] em28xx: input: fix oops on device removal

When em28xx_ir_init() fails due to an configuration error, it frees the memory
of struct em28xx_IR *ir, but doesn't set the corresponding pointer in the
device struct to NULL.
On device removal, em28xx_ir_fini() gets called, which then calls
rc_unregister_device() with a pointer to freed memory.
Fixes bug 26572 (http://bugzilla.kernel.org/show_bug.cgi?id=26572)

Signed-off-by: Frank Schäfer <fschaefer.oss@googlemail.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
This commit is contained in:
Frank Schaefer 2012-12-22 10:13:38 -03:00 committed by Mauro Carvalho Chehab
parent 0dae883923
commit 2f5741aa6a

View File

@ -600,7 +600,7 @@ static int em28xx_ir_init(struct em28xx *dev)
ir = kzalloc(sizeof(*ir), GFP_KERNEL); ir = kzalloc(sizeof(*ir), GFP_KERNEL);
rc = rc_allocate_device(); rc = rc_allocate_device();
if (!ir || !rc) if (!ir || !rc)
goto err_out_free; goto error;
/* record handles to ourself */ /* record handles to ourself */
ir->dev = dev; ir->dev = dev;
@ -629,14 +629,14 @@ static int em28xx_ir_init(struct em28xx *dev)
break; break;
default: default:
err = -ENODEV; err = -ENODEV;
goto err_out_free; goto error;
} }
/* By default, keep protocol field untouched */ /* By default, keep protocol field untouched */
rc_type = RC_BIT_UNKNOWN; rc_type = RC_BIT_UNKNOWN;
err = em28xx_ir_change_protocol(rc, &rc_type); err = em28xx_ir_change_protocol(rc, &rc_type);
if (err) if (err)
goto err_out_free; goto error;
/* This is how often we ask the chip for IR information */ /* This is how often we ask the chip for IR information */
ir->polling = 100; /* ms */ ir->polling = 100; /* ms */
@ -661,7 +661,7 @@ static int em28xx_ir_init(struct em28xx *dev)
/* all done */ /* all done */
err = rc_register_device(rc); err = rc_register_device(rc);
if (err) if (err)
goto err_out_stop; goto error;
em28xx_register_i2c_ir(dev); em28xx_register_i2c_ir(dev);
@ -674,9 +674,8 @@ static int em28xx_ir_init(struct em28xx *dev)
return 0; return 0;
err_out_stop: error:
dev->ir = NULL; dev->ir = NULL;
err_out_free:
rc_free_device(rc); rc_free_device(rc);
kfree(ir); kfree(ir);
return err; return err;