aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorClemens Ladisch <clemens@ladisch.de>2009-12-21 18:36:44 -0500
committerGreg Kroah-Hartman <gregkh@suse.de>2009-12-23 14:34:11 -0500
commitac06c06770bb8761b1f1f9bdf2f5420fa6d3e9fa (patch)
tree9119d4de2abbb3796b278e2e21d8c1eebcddae31
parent27f1281d5f72e4f161e215ccad3d7d86b9e624a9 (diff)
USB: emi62: fix crash when trying to load EMI 6|2 firmware
While converting emi62 to use request_firmware(), the driver was also changed to use the ihex helper functions. However, this broke the loading of the FPGA firmware because the code tries to access the addr field of the EOF record which works with a plain array that has an empty last record but not with the ihex helper functions where the end of the data is signaled with a NULL record pointer, resulting in: BUG: unable to handle kernel NULL pointer dereference at (null) IP: [<f80d248c>] emi62_load_firmware+0x33c/0x740 [emi62] This can be fixed by changing the loop condition to test the return value of ihex_next_binrec() directly (like in emi26.c). Signed-off-by: Clemens Ladisch <clemens@ladisch.de> Reported-and-tested-by: Der Mickster <retroeffective@gmail.com> Acked-by: David Woodhouse <David.Woodhouse@intel.com> Cc: stable <stable@kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-rw-r--r--drivers/usb/misc/emi62.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/usb/misc/emi62.c b/drivers/usb/misc/emi62.c
index 602ee05ba9ff..59860b328534 100644
--- a/drivers/usb/misc/emi62.c
+++ b/drivers/usb/misc/emi62.c
@@ -167,7 +167,7 @@ static int emi62_load_firmware (struct usb_device *dev)
167 err("%s - error loading firmware: error = %d", __func__, err); 167 err("%s - error loading firmware: error = %d", __func__, err);
168 goto wraperr; 168 goto wraperr;
169 } 169 }
170 } while (i > 0); 170 } while (rec);
171 171
172 /* Assert reset (stop the CPU in the EMI) */ 172 /* Assert reset (stop the CPU in the EMI) */
173 err = emi62_set_reset(dev,1); 173 err = emi62_set_reset(dev,1);