USB: emi26: fix oops on load

Fix oops introduced by commit ae93a55bf948753de0bb8e43fa9c027f786abb05
(emi26: use request_firmware()):

usb 1-1: new full speed USB device using uhci_hcd and address 2
usb 1-1: configuration #1 chosen from 1 choice
emi26 - firmware loader 1-1:1.0: emi26_probe start
usb 1-1: firmware: requesting emi26/loader.fw
usb 1-1: firmware: requesting emi26/bitstream.fw
usb 1-1: firmware: requesting emi26/firmware.fw
usb 1-1: emi26_set_reset - 1
usb 1-1: emi26_set_reset - 0
BUG: unable to handle kernel NULL pointer dereference at 00000000
IP: [<f80dc487>] emi26_probe+0x2f7/0x620 [emi26]
*pde = 00000000
Oops: 0000 [#1] SMP
last sysfs file: /sys/devices/pci0000:00/0000:00:1d.0/usb1/1-1/firmware/1-1/loading
Modules linked in: emi26(+) ipv6 cpufreq_ondemand coretemp arc4 ecb iwl3945 irtty_sir sir_dev nsc_ircc ehci_hcd uhci_hcd mac80211 irda usbcore snd_hda_intel thinkpad_acpi rfkill hwmon led_class e1000e snd_pcm cfg80211 snd_timer crc_ccitt snd snd_page_alloc aes_generic

Pid: 5082, comm: modprobe Not tainted (2.6.28 #2) 17023QG
EIP: 0060:[<f80dc487>] EFLAGS: 00010206 CPU: 0
EIP is at emi26_probe+0x2f7/0x620 [emi26]
EAX: 0000015c EBX: 00000000 ECX: c1ffd9c0 EDX: 00000000
ESI: 0000015c EDI: f6bb215c EBP: f6bb0400 ESP: f00ebcfc
 DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068
Process modprobe (pid: 5082, ti=f00ea000 task=f5c7c700 task.ti=f00ea000)
Stack:
 0000015c 000000a5 f6a67cb8 f80dc7e0 c01c6262 fbef2986 f6bb2000 00008fe0
 0000015c f715f748 f715f740 f715f738 f715f748 f6a67c00 f80dd040 f80dcfc0
 f6bb0400 fbacb290 f6a67c94 fbae0160 c01c70bf 00000000 f6a67c1c 00000000
Call Trace:
 [<c01c6262>] sysfs_add_one+0x12/0x50
 [<fbacb290>] usb_probe_interface+0xa0/0x140 [usbcore]
 [<c01c70bf>] sysfs_create_link+0xf/0x20
 [<c02dead2>] driver_probe_device+0x82/0x180
 [<fbac9eeb>] usb_match_id+0x3b/0x50 [usbcore]
 [<c02dec4e>] __driver_attach+0x7e/0x80
 [<c02de27a>] bus_for_each_dev+0x3a/0x60
 [<c02de956>] driver_attach+0x16/0x20
 [<c02debd0>] __driver_attach+0x0/0x80
 [<c02de7b1>] bus_add_driver+0x1a1/0x220
 [<c02dee4d>] driver_register+0x4d/0x120
 [<c024e622>] idr_get_empty_slot+0xf2/0x290
 [<fbacab71>] usb_register_driver+0x81/0x100 [usbcore]
 [<f806c000>] emi26_init+0x0/0x14 [emi26]
 [<c0101126>] do_one_initcall+0x36/0x1b0
 [<c01c5e70>] sysfs_ilookup_test+0x0/0x10
 [<c0197a61>] ifind+0x31/0x90
 [<c01c6229>] __sysfs_add_one+0x59/0x80
 [<c01c64e4>] sysfs_addrm_finish+0x14/0x1c0
 [<c0175ca3>] __vunmap+0xa3/0xd0
 [<c014b854>] load_module+0x1544/0x1640
 [<c014b9d7>] sys_init_module+0x87/0x1b0
 [<c0187f41>] sys_read+0x41/0x70
 [<c01032a5>] sysenter_do_call+0x12/0x21
 [<c03d0000>] wait_for_common+0x40/0x110
Code: 66 c1 e8 08 66 09 d0 75 a5 31 d2 89 e8 e8 72 fc ff ff 85 c0 0f 88 9a 02 00 00 b8 fa 00 00 00 e8 30 46 05 c8 8b 74 24 28 8b 5e 04 <8b> 03 89 44 24 1c 0f c8 89 44 24 1c 0f b7 4b 04 c7 44 24 20 00
EIP: [<f80dc487>] emi26_probe+0x2f7/0x620 [emi26] SS:ESP 0068:f00ebcfc
---[ end trace 2eefa13825431230 ]---

After the last "package" of firmware data is sent to the device, we dereference
NULL pointer (on access to rec->addr). Fix it.

Reported--by: David Flatz <[email protected]>
Tested-by: David Flatz <[email protected]>
Signed-off-by: Marcin Slusarz <[email protected]>
Cc: David Woodhouse <[email protected]>
Cc: stable <[email protected]> [2.6.27, 2.6.28]
Signed-off-by: Greg Kroah-Hartman <[email protected]>

diff --git a/drivers/usb/misc/emi26.c b/drivers/usb/misc/emi26.c
index e762beb5f3c6c641a08309e10904f7a318bbd9bf..879a980ca8c4a1a0b37a892b4cfc333539c15a55 100644 (file)
--- a/drivers/usb/misc/emi26.c
+++ b/drivers/usb/misc/emi26.c
@@ -160,7 +160,7 @@ static int emi26_load_firmware (struct usb_device *dev)
                        err("%s - error loading firmware: error = %d", __func__, err);
                        goto wraperr;
                }
-       } while (i > 0);
+       } while (rec);
 
        /* Assert reset (stop the CPU in the EMI) */
        err = emi26_set_reset(dev,1);