From: Srinivas Pandruvada Date: Thu, 20 Sep 2012 00:15:00 +0000 (+0100) Subject: iio: hid-sensors: Prevent crash during hot-unplug X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=f07b60b7c34b771431f1d00e783f29a3667ff5ee;p=GitHub%2FLineageOS%2Fandroid_kernel_samsung_universal7580.git iio: hid-sensors: Prevent crash during hot-unplug When hid sensor hub is unplugged, there is a crash in iio_device_unregister_trigger_consumer. In a typical IIO driver when remove is called, it will unregister and free trigger and then it will call iio_device_free. The function iio_trigger_free() will free the allocated memory for trigger. If this trigger was assigned to iio_dev->trig, then it should be set to NULL. Othewise when iio_device_free() is called later, it finally calls iio_device_unregsister_trigger(), which checks for if (indio_dev->trig) iio_trigger_put(indio_dev->trig); If indio_dev->trig is not set to NULL, it calls iio_trigger_put on a bad pointer causing crash. This scenerio can happen in any driver, which is storing trigger pointer in iio_dev structure and following current procedure during remove. Signed-off-by: Srinivas Pandruvada Signed-off-by: Jonathan Cameron --- diff --git a/drivers/iio/common/hid-sensors/hid-sensor-trigger.c b/drivers/iio/common/hid-sensors/hid-sensor-trigger.c index 12277e8bbd8..d4b790d18ef 100644 --- a/drivers/iio/common/hid-sensors/hid-sensor-trigger.c +++ b/drivers/iio/common/hid-sensors/hid-sensor-trigger.c @@ -56,6 +56,7 @@ void hid_sensor_remove_trigger(struct iio_dev *indio_dev) { iio_trigger_unregister(indio_dev->trig); iio_trigger_free(indio_dev->trig); + indio_dev->trig = NULL; } EXPORT_SYMBOL(hid_sensor_remove_trigger);