[media] exynos4-is: Prevent NULL pointer dereference when firmware isn't loaded

Ensure the firmware isn't accessed in the driver when the firmware loading routine has not completed. This fixes a potential kernel crash: [ 96.510000] Unable to handle kernel NULL pointer dereference at virtual address 00000000 [ 96.520000] pgd = ee604000 [ 96.520000] [00000000] *pgd=6e947831, *pte=00000000, *ppte=00000000 [ 96.530000] Internal error: Oops: 17 [#1] PREEMPT SMP ARM [ 96.530000] Modules linked in: [ 96.530000] CPU: 2 PID: 2787 Comm: camera_test Not tainted 3.10.0-rc1-00269-gcdbde37-dirty #2158 [ 96.545000] task: ee42e400 ti: edfcc000 task.ti: edfcc000 [ 96.545000] PC is at fimc_is_start_firmware+0x14/0x94 [ 96.545000] LR is at fimc_isp_subdev_s_power+0x13c/0x1f8 ... [ 96.745000] [<c03e0354>] (fimc_is_start_firmware+0x14/0x94) from [<c03e1cc4>] (fimc_isp_subdev_s_power+0x13c/0x1f8) [ 96.745000] [<c03e1cc4>] (fimc_isp_subdev_s_power+0x13c/0x1f8) from [<c03ed088>] (__subdev_set_power+0x70/0x84) [ 96.745000] [<c03ed088>] (__subdev_set_power+0x70/0x84) from [<c03ed164>] (fimc_pipeline_s_power+0xc8/0x164) [ 96.745000] [<c03ed164>] (fimc_pipeline_s_power+0xc8/0x164) from [<c03ee2b8>] (__fimc_pipeline_open+0x90/0x268) [ 96.745000] [<c03ee2b8>] (__fimc_pipeline_open+0x90/0x268) from [<c03ec5f0>] (fimc_capture_open+0xe4/0x1ec) [ 96.745000] [<c03ec5f0>] (fimc_capture_open+0xe4/0x1ec) from [<c03c5560>] (v4l2_open+0xa8/0xe4) [ 96.745000] [<c03c5560>] (v4l2_open+0xa8/0xe4) from [<c0112900>] (chrdev_open+0x9c/0x158) [ 96.745000] [<c0112900>] (chrdev_open+0x9c/0x158) from [<c010d3e0>] (do_dentry_open+0x1f4/0x27c) [ 96.745000] [<c010d3e0>] (do_dentry_open+0x1f4/0x27c) from [<c010d558>] (finish_open+0x34/0x50) [ 96.745000] [<c010d558>] (finish_open+0x34/0x50) from [<c011bea0>] (do_last+0x59c/0xbcc) [ 96.745000] [<c011bea0>] (do_last+0x59c/0xbcc) from [<c011c580>] (path_openat+0xb0/0x484) [ 96.745000] [<c011c580>] (path_openat+0xb0/0x484) from [<c011ca58>] (do_filp_open+0x30/0x84) [ 96.745000] [<c011ca58>] (do_filp_open+0x30/0x84) from [<c010d060>] (do_sys_open+0xe8/0x170) [ 96.745000] [<c010d060>] (do_sys_open+0xe8/0x170) from [<c000f040>] (ret_fast_syscall+0x0/0x30) Signed-off-by: Sylwester Nawrocki <s.nawrocki@samsung.com> Signed-off-by: Kyungmin Park <kyungmin.park@samsung.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
author: Sylwester Nawrocki <s.nawrocki@samsung.com> 2013-05-31 07:40:35 -0400
committer: Mauro Carvalho Chehab <mchehab@redhat.com> 2013-06-08 18:52:34 -0400
commit: 3cf138a6393d4ae2aeabce4c4b776d7d15cce69b (patch)
tree: 10a9452101c79dd54561903c2f27e192d77684d2
parent: d1c1cc664342cf197afeea4b0dd8145d1edee35c (diff)
1 files changed, 7 insertions, 1 deletions
diff --git a/drivers/media/platform/exynos4-is/fimc-is.c b/drivers/media/platform/exynos4-is/fimc-is.c
index 47c6363d04e2..1adf6dfcb39e 100644
--- a/drivers/media/platform/exynos4-is/fimc-is.c
+++ b/drivers/media/platform/exynos4-is/fimc-is.c
@@ -326,6 +326,11 @@ int fimc_is_start_firmware(struct fimc_is *is)
        struct device *dev = &is->pdev->dev;
        int ret;
+        if (is->fw.f_w == NULL) {
+                dev_err(dev, "firmware is not loaded\n");
+                return -EINVAL;
+        }
        memcpy(is->memory.vaddr, is->fw.f_w->data, is->fw.f_w->size);
        wmb();
@@ -941,7 +946,8 @@ static int fimc_is_remove(struct platform_device *pdev)
        vb2_dma_contig_cleanup_ctx(is->alloc_ctx);
        fimc_is_put_clocks(is);
        fimc_is_debugfs_remove(is);
-        release_firmware(is->fw.f_w);
+        if (is->fw.f_w)
+                release_firmware(is->fw.f_w);
        fimc_is_free_cpu_memory(is);
        return 0;
author	Sylwester Nawrocki <s.nawrocki@samsung.com>	2013-05-31 07:40:35 -0400
committer	Mauro Carvalho Chehab <mchehab@redhat.com>	2013-06-08 18:52:34 -0400
commit	3cf138a6393d4ae2aeabce4c4b776d7d15cce69b (patch)
tree	10a9452101c79dd54561903c2f27e192d77684d2
parent	d1c1cc664342cf197afeea4b0dd8145d1edee35c (diff)