From: Stephen Warren Date: Wed, 10 Sep 2014 17:01:10 +0000 (-0700) Subject: Input: atmel_mxt_ts - fix double free of input device X-Git-Tag: firefly_0821_release~176^2~541^2~152 X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=58e4aeee39917c75da8e5dca0f1c42be8dc29f9e;p=firefly-linux-kernel-4.4.55.git Input: atmel_mxt_ts - fix double free of input device [Nick Dyer: reworked to move free of input device into separate function and only call in paths that require it.] Signed-off-by: Nick Dyer Signed-off-by: Dmitry Torokhov --- diff --git a/drivers/input/touchscreen/atmel_mxt_ts.c b/drivers/input/touchscreen/atmel_mxt_ts.c index d954b81243fe..aaacf8bfa61f 100644 --- a/drivers/input/touchscreen/atmel_mxt_ts.c +++ b/drivers/input/touchscreen/atmel_mxt_ts.c @@ -1379,11 +1379,16 @@ static int mxt_get_info(struct mxt_data *data) return 0; } -static void mxt_free_object_table(struct mxt_data *data) +static void mxt_free_input_device(struct mxt_data *data) { - input_unregister_device(data->input_dev); - data->input_dev = NULL; + if (data->input_dev) { + input_unregister_device(data->input_dev); + data->input_dev = NULL; + } +} +static void mxt_free_object_table(struct mxt_data *data) +{ kfree(data->object_table); data->object_table = NULL; kfree(data->msg_buf); @@ -1962,11 +1967,13 @@ static int mxt_load_fw(struct device *dev, const char *fn) ret = mxt_lookup_bootloader_address(data, 0); if (ret) goto release_firmware; + + mxt_free_input_device(data); + mxt_free_object_table(data); } else { enable_irq(data->irq); } - mxt_free_object_table(data); reinit_completion(&data->bl_completion); ret = mxt_check_bootloader(data, MXT_WAITING_BOOTLOAD_CMD, false); @@ -2215,6 +2222,7 @@ static int mxt_probe(struct i2c_client *client, const struct i2c_device_id *id) return 0; err_free_object: + mxt_free_input_device(data); mxt_free_object_table(data); err_free_irq: free_irq(client->irq, data); @@ -2229,7 +2237,7 @@ static int mxt_remove(struct i2c_client *client) sysfs_remove_group(&client->dev.kobj, &mxt_attr_group); free_irq(data->irq, data); - input_unregister_device(data->input_dev); + mxt_free_input_device(data); mxt_free_object_table(data); kfree(data);