Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit da4fc14c authored by Heiko Stübner's avatar Heiko Stübner Committed by Greg Kroah-Hartman
Browse files

s3c-hsudc: Fix possible nullpointer dereference during probe 



The usb-interrupt is requested before the endpoints are initalised.
If an interrupt happens in the time between request_irq and the init
of the endpoint-data (as seen on the Qisda ESx00 ebook-platforms),
it is therefore possible for the interrupt handler to access endpoint-
data before its creation resulting in a null-pointer dereference.

This patch simply moves the irq request below the endpoint init.

Signed-off-by: default avatarHeiko Stuebner <heiko@sntech.de>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
parent 94ab23dd

drivers/usb/gadget/s3c-hsudc.c

+13 −13
Original line number Diff line number Diff line
@@ -1269,19 +1269,6 @@ static int s3c_hsudc_probe(struct platform_device *pdev) 
		goto err_remap;

	}



	ret = platform_get_irq(pdev, 0);

	if (ret < 0) {

		dev_err(dev, "unable to obtain IRQ number\n");

		goto err_irq;

	}

	hsudc->irq = ret;



	ret = request_irq(hsudc->irq, s3c_hsudc_irq, 0, driver_name, hsudc);

	if (ret < 0) {

		dev_err(dev, "irq request failed\n");

		goto err_irq;

	}



	spin_lock_init(&hsudc->lock);



	device_initialize(&hsudc->gadget.dev);
@@ -1299,6 +1286,19 @@ static int s3c_hsudc_probe(struct platform_device *pdev) 


	s3c_hsudc_setup_ep(hsudc);



	ret = platform_get_irq(pdev, 0);

	if (ret < 0) {

		dev_err(dev, "unable to obtain IRQ number\n");

		goto err_irq;

	}

	hsudc->irq = ret;



	ret = request_irq(hsudc->irq, s3c_hsudc_irq, 0, driver_name, hsudc);

	if (ret < 0) {

		dev_err(dev, "irq request failed\n");

		goto err_irq;

	}



	hsudc->uclk = clk_get(&pdev->dev, "usb-device");

	if (IS_ERR(hsudc->uclk)) {

		dev_err(dev, "failed to find usb-device clock source\n");