> tps65910_irq_init() sets the 'tps65910->chip_irq' before calling
> regmap_add_irq_chip(). If this regmap_add_irq_chip() call fails in
> memory allocation of regmap_irq_chip_data members then:
> 1. The 'tps65910->chip_irq' will still hold some value;
> 2. 'tps65910->irq_data' will be pointing to already freed memory
> (because regmap_add_irq_chip() will free it on error);
>
> This results in invalid memory access during driver remove because the
> tps65910_irq_exit() tests whether 'tps65910->chip_irq' is not null.
>
> Signed-off-by: Krzysztof Kozlowski <k.kozlowski@xxxxxxxxxxx>
> Cc: <stable@xxxxxxxxxxxxxxx>
> Fixes: 4aab3fadad32 ("mfd: tps65910: Move interrupt implementation code to mfd file")
> ---
> drivers/mfd/tps65910.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
Applied after cleaning up the commit message a little.
--
Lee Jones
Linaro STMicroelectronics Landing Team Lead
Linaro.org │ Open source software for ARM SoCs
Follow Linaro: Facebook | Twitter | Blog
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html