cg2900: Fix crash when transport is closed

This patch fixes crashes caused by transport being removed while users of the CG2900 driver still exist. ST-Ericsson Linux next: Not tested, ER 336652 ST-Ericsson ID: 336652 ST-Ericsson FOSS-OUT ID: Trivial Change-Id: I6318ce1086097a4fa63a1793b6795b01ea939715 Signed-off-by: Par-Gunnar Hjalmdahl <par-gunnar.p.hjalmdahl@stericsson.com> Reviewed-on: http://gerrit.lud.stericsson.com/gerrit/21781 Reviewed-by: QATEST Reviewed-by: Lukasz RYMANOWSKI <lukasz.rymanowski@stericsson.com> Reviewed-on: http://gerrit.lud.stericsson.com/gerrit/29795 Reviewed-by: Virupax SADASHIVPETIMATH <virupax.sadashivpetimath@stericsson.com> Tested-by: Virupax SADASHIVPETIMATH <virupax.sadashivpetimath@stericsson.com>
author: Par-Gunnar Hjalmdahl <par-gunnar.p.hjalmdahl@stericsson.com> 2011-08-29 09:29:05 +0530
committer: Philippe Langlais <philippe.langlais@stericsson.com> 2012-05-22 11:05:51 +0200
commit: 0e9b14d010fe2fa1eb5e1690e32e101e1adf9dab (patch)
tree: a7fdce790177301cedef819b5907894bc1d5743e /drivers/staging/cg2900/mfd
parent: d224ba380d6433d109eac46c94c18299258f9f28 (diff)
2 files changed, 42 insertions, 8 deletions
diff --git a/drivers/staging/cg2900/mfd/cg2900_audio.c b/drivers/staging/cg2900/mfd/cg2900_audio.c
index 6eadd96b2de..a7b8eda4305 100644
--- a/drivers/staging/cg2900/mfd/cg2900_audio.c
+++ b/drivers/staging/cg2900/mfd/cg2900_audio.c
@@ -111,6 +111,7 @@ struct endpoint_config_node {
  *				audio channel.
  * @dev_fm:			Device registered by this driver for the FM
  *				audio channel.
+ * @filp:			Current char device file pointer.
  * @management_mutex:		Mutex for handling access to CG2900 Audio driver
  *				management.
  * @bt_mutex:			Mutex for handling access to BT audio channel.
@@ -136,6 +137,7 @@ struct audio_info {
 	struct device			*parent;
 	struct device			*dev_bt;
 	struct device			*dev_fm;
+	struct file			*filp;
 	struct mutex			management_mutex;
 	struct mutex			bt_mutex;
 	struct mutex			fm_mutex;
@@ -2825,6 +2827,7 @@ static int audio_dev_open(struct inode *inode, struct file *filp)
 	}
 	filp->private_data = char_dev_info;
 	char_dev_info->info = info;
+	info->filp = filp;
 
 	mutex_init(&char_dev_info->management_mutex);
 	mutex_init(&char_dev_info->rw_mutex);
@@ -2861,7 +2864,14 @@ static int audio_dev_release(struct inode *inode, struct file *filp)
 {
 	int err = 0;
 	struct char_dev_info *dev = filp->private_data;
-	struct audio_info *info = dev->info;
+	struct audio_info *info;
+
+	if (!dev) {
+		pr_err("audio_dev_release: Transport closed");
+		return -EBADF;
+	}
+
+	info = dev->info;
 
 	dev_dbg(BT_DEV, "audio_dev_release\n");
 
@@ -2879,6 +2889,7 @@ static int audio_dev_release(struct inode *inode, struct file *filp)
 
 	kfree(dev);
 	filp->private_data = NULL;
+	info->filp = NULL;
 
 	return err;
 }
@@ -2907,11 +2918,18 @@ static ssize_t audio_dev_read(struct file *filp, char __user *buf, size_t count,
 			      loff_t *f_pos)
 {
 	struct char_dev_info *dev = filp->private_data;
-	struct audio_info *info = dev->info;
+	struct audio_info *info;
 	unsigned int bytes_to_copy;
 	int err = 0;
 	struct sk_buff *skb;
 
+	if (!dev) {
+		pr_err("audio_dev_read: Transport closed");
+		return -EBADF;
+	}
+
+	info = dev->info;
+
 	dev_dbg(BT_DEV, "audio_dev_read count %d\n", count);
 
 	mutex_lock(&dev->rw_mutex);
@@ -2988,7 +3006,7 @@ static ssize_t audio_dev_write(struct file *filp, const char __user *buf,
 	pr_debug("audio_dev_write count %d", count);
 
 	if (!dev) {
-		pr_err("No dev supplied in private data");
+		pr_err("audio_dev_write: Transport closed");
 		return -EBADF;
 	}
 	info = dev->info;
@@ -3170,7 +3188,7 @@ static unsigned int audio_dev_poll(struct file *filp, poll_table *wait)
 	unsigned int mask = 0;
 
 	if (!dev) {
-		pr_err("No dev supplied in private data");
+		pr_err("audio_dev_poll: Transport closed");
 		return POLLERR | POLLRDHUP;
 	}
 	info = dev->info;
@@ -3344,6 +3362,9 @@ static int common_remove(struct audio_info *info, struct device *dev)
 		dev_err(dev, "Error %d deregistering misc dev\n", err);
 	info->misc_registered = false;
 
+	if (info->filp)
+		info->filp->private_data = NULL;
+
 	dev_info(dev, "CG2900 Audio driver removed\n");
 	return err;
 }
diff --git a/drivers/staging/cg2900/mfd/cg2900_char_devices.c b/drivers/staging/cg2900/mfd/cg2900_char_devices.c
index 0f1627e82ac..10f7d38d4a0 100644
--- a/drivers/staging/cg2900/mfd/cg2900_char_devices.c
+++ b/drivers/staging/cg2900/mfd/cg2900_char_devices.c
@@ -37,6 +37,7 @@
  * struct char_dev_user - Stores device information.
  * @dev:		Current device.
  * @miscdev:		Registered device struct.
+ * @filp:		Current file pointer.
  * @name:		Name of device.
  * @rx_queue:		Data queue.
  * @rx_wait_queue:	Wait queue.
@@ -48,6 +49,7 @@
 struct char_dev_user {
 	struct device		*dev;
 	struct miscdevice	miscdev;
+	struct file		*filp;
 	char			*name;
 	struct sk_buff_head	rx_queue;
 	wait_queue_head_t	rx_wait_queue;
@@ -147,6 +149,7 @@ static int char_dev_open(struct inode *inode, struct file *filp)
 	}
 
 	filp->private_data = dev;
+	dev->filp = filp;
 	user = dev_get_platdata(dev->dev);
 
 	/* First initiate wait queues for this device. */
@@ -188,7 +191,7 @@ static int char_dev_release(struct inode *inode, struct file *filp)
 	pr_debug("char_dev_release");
 
 	if (!dev) {
-		pr_err("Calling with NULL pointer");
+		pr_err("char_dev_release: Calling with NULL pointer");
 		return -EBADF;
 	}
 
@@ -203,6 +206,7 @@ static int char_dev_release(struct inode *inode, struct file *filp)
 	dev_info(MAIN_DEV, "char_dev %s closed\n", dev->name);
 
 	filp->private_data = NULL;
+	dev->filp = NULL;
 	wake_up_interruptible(&dev->rx_wait_queue);
 	wake_up_interruptible(&dev->reset_wait_queue);
 
@@ -241,7 +245,7 @@ static ssize_t char_dev_read(struct file *filp, char __user *buf, size_t count,
 	pr_debug("char_dev_read");
 
 	if (!dev) {
-		pr_err("Calling with NULL pointer");
+		pr_err("char_dev_read: Calling with NULL pointer");
 		return -EBADF;
 	}
 	mutex_lock(&dev->read_mutex);
@@ -322,7 +326,7 @@ static ssize_t char_dev_write(struct file *filp, const char __user *buf,
 	pr_debug("char_dev_write");
 
 	if (!dev) {
-		pr_err("Calling with NULL pointer");
+		pr_err("char_dev_write: Calling with NULL pointer");
 		return -EBADF;
 	}
 
@@ -386,6 +390,11 @@ static long char_dev_unlocked_ioctl(struct file *filp, unsigned int cmd,
 	int ret_val;
 	void __user *user_arg = (void __user *)arg;
 
+	if (!dev) {
+		pr_err("char_dev_unlocked_ioctl: Calling with NULL pointer");
+		return -EBADF;
+	}
+
 	dev_dbg(dev->dev, "char_dev_unlocked_ioctl for %s\n"
 		"\tDIR: %d\n"
 		"\tTYPE: %d\n"
@@ -464,7 +473,7 @@ static unsigned int char_dev_poll(struct file *filp, poll_table *wait)
 	unsigned int mask = 0;
 
 	if (!dev) {
-		pr_debug("Device not open");
+		pr_debug("char_dev_poll: Device not open");
 		return POLLERR | POLLRDHUP;
 	}
 
@@ -526,6 +535,10 @@ static void remove_dev(struct char_dev_user *dev_usr)
 	mutex_destroy(&dev_usr->read_mutex);
 	mutex_destroy(&dev_usr->write_mutex);
 
+	dev_usr->dev = NULL;
+	if (dev_usr->filp)
+		dev_usr->filp->private_data = NULL;
+
 	/* Remove device node in file system. */
 	misc_deregister(&dev_usr->miscdev);
 	kfree(dev_usr);
author	Par-Gunnar Hjalmdahl <par-gunnar.p.hjalmdahl@stericsson.com>	2011-08-29 09:29:05 +0530
committer	Philippe Langlais <philippe.langlais@stericsson.com>	2012-05-22 11:05:51 +0200
commit	0e9b14d010fe2fa1eb5e1690e32e101e1adf9dab (patch)
tree	a7fdce790177301cedef819b5907894bc1d5743e /drivers/staging/cg2900/mfd
parent	d224ba380d6433d109eac46c94c18299258f9f28 (diff)