[PATCH 1/6] USB: fsl_qe_udc: Fix oops on QE UDC probe failure

From: Anton Vorontsov
Date: Thu Dec 25 2008 - 09:15:26 EST

Next message: Anton Vorontsov: "[PATCH 2/6] USB: fsl_qe_udc: Fix recursive locking bug inch9getstatus()"
Previous message: Anton Vorontsov: "[PATCH 0/6] USB: Fixes for fsl_qe_udc driver"
In reply to: Anton Vorontsov: "[PATCH 0/6] USB: Fixes for fsl_qe_udc driver"
Next in thread: Anton Vorontsov: "[PATCH 2/6] USB: fsl_qe_udc: Fix recursive locking bug inch9getstatus()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

In case of probing errors the driver kfrees the udc_controller, but it
doesn't set the pointer to NULL.

When usb_gadget_register_driver is called, it checks for udc_controller
!= NULL, the check passes and the driver accesses nonexistent memory.
Fix this by setting udc_controller to NULL in case of errors.

While at it, also implement irq_of_parse_and_map()'s failure and cleanup
cases.

Signed-off-by: Anton Vorontsov <avorontsov@xxxxxxxxxxxxx>
Acked-by: David Brownell <dbrownell@xxxxxxxxxxxxxxxxxxxxx>
---
drivers/usb/gadget/fsl_qe_udc.c | 9 ++++++++-
1 files changed, 8 insertions(+), 1 deletions(-)

diff --git a/drivers/usb/gadget/fsl_qe_udc.c b/drivers/usb/gadget/fsl_qe_udc.c
index d15be3d..db6fe04 100644
--- a/drivers/usb/gadget/fsl_qe_udc.c
+++ b/drivers/usb/gadget/fsl_qe_udc.c
@@ -2604,6 +2604,10 @@ static int __devinit qe_udc_probe(struct of_device *ofdev,
(unsigned long)udc_controller);
/* request irq and disable DR */
udc_controller->usb_irq = irq_of_parse_and_map(np, 0);
+ if (!udc_controller->usb_irq) {
+ ret = -EINVAL;
+ goto err_noirq;
+ }

ret = request_irq(udc_controller->usb_irq, qe_udc_irq, 0,
driver_name, udc_controller);
@@ -2625,6 +2629,8 @@ static int __devinit qe_udc_probe(struct of_device *ofdev,
err6:
free_irq(udc_controller->usb_irq, udc_controller);
err5:
+ irq_dispose_mapping(udc_controller->usb_irq);
+err_noirq:
if (udc_controller->nullmap) {
dma_unmap_single(udc_controller->gadget.dev.parent,
udc_controller->nullp, 256,
@@ -2648,7 +2654,7 @@ err2:
iounmap(udc_controller->usb_regs);
err1:
kfree(udc_controller);
-
+ udc_controller = NULL;
return ret;
}

@@ -2710,6 +2716,7 @@ static int __devexit qe_udc_remove(struct of_device *ofdev)
kfree(ep->txframe);

free_irq(udc_controller->usb_irq, udc_controller);
+ irq_dispose_mapping(udc_controller->usb_irq);

tasklet_kill(&udc_controller->rx_tasklet);

--
1.5.6.5

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Anton Vorontsov: "[PATCH 2/6] USB: fsl_qe_udc: Fix recursive locking bug inch9getstatus()"
Previous message: Anton Vorontsov: "[PATCH 0/6] USB: Fixes for fsl_qe_udc driver"
In reply to: Anton Vorontsov: "[PATCH 0/6] USB: Fixes for fsl_qe_udc driver"
Next in thread: Anton Vorontsov: "[PATCH 2/6] USB: fsl_qe_udc: Fix recursive locking bug inch9getstatus()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]