Skip to content

Commit 69f2af2

Browse files
Bruno Prémontgregkh
Bruno Prémont
authored and
gregkh
committed
HID: picolcd: Prevent NULL pointer dereference on _remove()
commit 1cde501bb4655e98fb832194beb88ac73be5a05d upstream. When picolcd is switched into bootloader mode (for FW flashing) make sure not to try to dereference NULL-pointers of feature-devices during unplug/unbind. This fixes following BUG: BUG: unable to handle kernel NULL pointer dereference at 00000298 IP: [<f811f56b>] picolcd_exit_framebuffer+0x1b/0x80 [hid_picolcd] *pde = 00000000 Oops: 0000 [#1] Modules linked in: hid_picolcd syscopyarea sysfillrect sysimgblt fb_sys_fops CPU: 0 PID: 15 Comm: khubd Not tainted 3.11.0-rc7-00002-g50d62d4 imx6-dongle#2 EIP: 0060:[<f811f56b>] EFLAGS: 00010292 CPU: 0 EIP is at picolcd_exit_framebuffer+0x1b/0x80 [hid_picolcd] Call Trace: [<f811d1ab>] picolcd_remove+0xcb/0x120 [hid_picolcd] [<c1469b09>] hid_device_remove+0x59/0xc0 [<c13464ca>] __device_release_driver+0x5a/0xb0 [<c134653f>] device_release_driver+0x1f/0x30 [<c134603d>] bus_remove_device+0x9d/0xd0 [<c13439a5>] device_del+0xd5/0x150 [<c14696a4>] hid_destroy_device+0x24/0x60 [<c1474cbb>] usbhid_disconnect+0x1b/0x40 ... Signed-off-by: Bruno Prémont <[email protected]> Signed-off-by: Jiri Kosina <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
1 parent 7c91362 commit 69f2af2

File tree

2 files changed

+7
-2
lines changed

2 files changed

+7
-2
lines changed

drivers/hid/hid-picolcd_cir.c

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -145,6 +145,7 @@ void picolcd_exit_cir(struct picolcd_data *data)
145145
struct rc_dev *rdev = data->rc_dev;
146146

147147
data->rc_dev = NULL;
148-
rc_unregister_device(rdev);
148+
if (rdev)
149+
rc_unregister_device(rdev);
149150
}
150151

drivers/hid/hid-picolcd_fb.c

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -593,10 +593,14 @@ int picolcd_init_framebuffer(struct picolcd_data *data)
593593
void picolcd_exit_framebuffer(struct picolcd_data *data)
594594
{
595595
struct fb_info *info = data->fb_info;
596-
struct picolcd_fb_data *fbdata = info->par;
596+
struct picolcd_fb_data *fbdata;
597597
unsigned long flags;
598598

599+
if (!info)
600+
return;
601+
599602
device_remove_file(&data->hdev->dev, &dev_attr_fb_update_rate);
603+
fbdata = info->par;
600604

601605
/* disconnect framebuffer from HID dev */
602606
spin_lock_irqsave(&fbdata->lock, flags);

0 commit comments

Comments
 (0)