s3c-hsudc: Fix possible nullpointer dereference during probe
authorHeiko Stübner <heiko@sntech.de>
Sun, 21 Aug 2011 12:31:17 +0000 (14:31 +0200)
committerGreg Kroah-Hartman <gregkh@suse.de>
Mon, 22 Aug 2011 23:03:13 +0000 (16:03 -0700)
The usb-interrupt is requested before the endpoints are initalised.
If an interrupt happens in the time between request_irq and the init
of the endpoint-data (as seen on the Qisda ESx00 ebook-platforms),
it is therefore possible for the interrupt handler to access endpoint-
data before its creation resulting in a null-pointer dereference.

This patch simply moves the irq request below the endpoint init.

Signed-off-by: Heiko Stuebner <heiko@sntech.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
drivers/usb/gadget/s3c-hsudc.c

index 3fa717c5f4bc6b214e997a11768ffbd18fbcb651..00056c27a1c8fc3b429c1a7bc2b91458b746fa52 100644 (file)
@@ -1269,19 +1269,6 @@ static int s3c_hsudc_probe(struct platform_device *pdev)
                goto err_remap;
        }
 
-       ret = platform_get_irq(pdev, 0);
-       if (ret < 0) {
-               dev_err(dev, "unable to obtain IRQ number\n");
-               goto err_irq;
-       }
-       hsudc->irq = ret;
-
-       ret = request_irq(hsudc->irq, s3c_hsudc_irq, 0, driver_name, hsudc);
-       if (ret < 0) {
-               dev_err(dev, "irq request failed\n");
-               goto err_irq;
-       }
-
        spin_lock_init(&hsudc->lock);
 
        device_initialize(&hsudc->gadget.dev);
@@ -1299,6 +1286,19 @@ static int s3c_hsudc_probe(struct platform_device *pdev)
 
        s3c_hsudc_setup_ep(hsudc);
 
+       ret = platform_get_irq(pdev, 0);
+       if (ret < 0) {
+               dev_err(dev, "unable to obtain IRQ number\n");
+               goto err_irq;
+       }
+       hsudc->irq = ret;
+
+       ret = request_irq(hsudc->irq, s3c_hsudc_irq, 0, driver_name, hsudc);
+       if (ret < 0) {
+               dev_err(dev, "irq request failed\n");
+               goto err_irq;
+       }
+
        hsudc->uclk = clk_get(&pdev->dev, "usb-device");
        if (IS_ERR(hsudc->uclk)) {
                dev_err(dev, "failed to find usb-device clock source\n");