When em28xx_ir_init() fails due to an configuration error, it frees the memory
of struct em28xx_IR *ir, but doesn't set the corresponding pointer in the
device struct to NULL.
On device removal, em28xx_ir_fini() gets called, which then calls
rc_unregister_device() with a pointer to freed memory.
Fixes bug 26572 (http://bugzilla.kernel.org/show_bug.cgi?id=26572)
Signed-off-by: Frank Schäfer <fschaefer.oss@googlemail.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
ir = kzalloc(sizeof(*ir), GFP_KERNEL);
rc = rc_allocate_device();
if (!ir || !rc)
- goto err_out_free;
+ goto error;
/* record handles to ourself */
ir->dev = dev;
break;
default:
err = -ENODEV;
- goto err_out_free;
+ goto error;
}
/* By default, keep protocol field untouched */
rc_type = RC_BIT_UNKNOWN;
err = em28xx_ir_change_protocol(rc, &rc_type);
if (err)
- goto err_out_free;
+ goto error;
/* This is how often we ask the chip for IR information */
ir->polling = 100; /* ms */
/* all done */
err = rc_register_device(rc);
if (err)
- goto err_out_stop;
+ goto error;
em28xx_register_i2c_ir(dev);
return 0;
-err_out_stop:
+error:
dev->ir = NULL;
-err_out_free:
rc_free_device(rc);
kfree(ir);
return err;
projects / profile / ivi / kernel-x86-ivi.git / commitdiff