summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLars-Peter Clausen <lars@metafoo.de>2012-09-12 12:06:00 +0100
committerJonathan Cameron <jic23@kernel.org>2012-09-22 10:55:08 +0100
commit3fff22743640637c2b61473d3cc8d7dc2215984f (patch)
tree2e7d8751b60e245e18a8f14282aebf0e03c53360
parente60fea794e6ecb9ea4df2623c9498412afe31d4d (diff)
staging:iio:dummy: Fix potential NULL pointer dereferenceiio-for-v3.7e
If the config contains CONFIG_IIO_BUFFER=y and CONFIG_IIO_SIMPLE_DUMMY_BUFFER=n iio_simple_dummy_configure_buffer() is stubbed out and iio_buffer_register() is not. As a result we try to register a buffer which has not been configured. This will causes a NULL pointer deref in iio_buffer_register. To solve this issue move the iio_buffer_register() call to iio_simple_dummy_configure_buffer(), so it will only be called if iio_simple_dummy_configure_buffer() has been called. Reported-by: Fengguang Wu <fengguang.wu@intel.com> Signed-off-by: Lars-Peter Clausen <lars@metafoo.de> Signed-off-by: Jonathan Cameron <jic23@kernel.org>
-rw-r--r--drivers/staging/iio/iio_simple_dummy.c20
-rw-r--r--drivers/staging/iio/iio_simple_dummy.h6
-rw-r--r--drivers/staging/iio/iio_simple_dummy_buffer.c11
3 files changed, 21 insertions, 16 deletions
diff --git a/drivers/staging/iio/iio_simple_dummy.c b/drivers/staging/iio/iio_simple_dummy.c
index 029bcc67f164..dc6c728ea47a 100644
--- a/drivers/staging/iio/iio_simple_dummy.c
+++ b/drivers/staging/iio/iio_simple_dummy.c
@@ -445,26 +445,20 @@ static int __devinit iio_dummy_probe(int index)
if (ret < 0)
goto error_free_device;
- /* Configure buffered capture support. */
- ret = iio_simple_dummy_configure_buffer(indio_dev);
- if (ret < 0)
- goto error_unregister_events;
-
/*
- * Register the channels with the buffer, but avoid the output
- * channel being registered by reducing the number of channels by 1.
+ * Configure buffered capture support and register the channels with the
+ * buffer, but avoid the output channel being registered by reducing the
+ * number of channels by 1.
*/
- ret = iio_buffer_register(indio_dev, iio_dummy_channels, 5);
+ ret = iio_simple_dummy_configure_buffer(indio_dev, iio_dummy_channels, 5);
if (ret < 0)
- goto error_unconfigure_buffer;
+ goto error_unregister_events;
ret = iio_device_register(indio_dev);
if (ret < 0)
- goto error_unregister_buffer;
+ goto error_unconfigure_buffer;
return 0;
-error_unregister_buffer:
- iio_buffer_unregister(indio_dev);
error_unconfigure_buffer:
iio_simple_dummy_unconfigure_buffer(indio_dev);
error_unregister_events:
@@ -499,7 +493,6 @@ static int iio_dummy_remove(int index)
/* Device specific code to power down etc */
/* Buffered capture related cleanup */
- iio_buffer_unregister(indio_dev);
iio_simple_dummy_unconfigure_buffer(indio_dev);
ret = iio_simple_dummy_events_unregister(indio_dev);
@@ -530,6 +523,7 @@ static __init int iio_dummy_init(void)
instances = 1;
return -EINVAL;
}
+
/* Fake a bus */
iio_dummy_devs = kcalloc(instances, sizeof(*iio_dummy_devs),
GFP_KERNEL);
diff --git a/drivers/staging/iio/iio_simple_dummy.h b/drivers/staging/iio/iio_simple_dummy.h
index 53975d916fc9..c9e8702caca4 100644
--- a/drivers/staging/iio/iio_simple_dummy.h
+++ b/drivers/staging/iio/iio_simple_dummy.h
@@ -95,10 +95,12 @@ enum iio_simple_dummy_scan_elements {
};
#ifdef CONFIG_IIO_SIMPLE_DUMMY_BUFFER
-int iio_simple_dummy_configure_buffer(struct iio_dev *indio_dev);
+int iio_simple_dummy_configure_buffer(struct iio_dev *indio_dev,
+ const struct iio_chan_spec *channels, unsigned int num_channels);
void iio_simple_dummy_unconfigure_buffer(struct iio_dev *indio_dev);
#else
-static inline int iio_simple_dummy_configure_buffer(struct iio_dev *indio_dev)
+static inline int iio_simple_dummy_configure_buffer(struct iio_dev *indio_dev,
+ const struct iio_chan_spec *channels, unsigned int num_channels)
{
return 0;
};
diff --git a/drivers/staging/iio/iio_simple_dummy_buffer.c b/drivers/staging/iio/iio_simple_dummy_buffer.c
index 1fd38095b2ca..697d9700db2f 100644
--- a/drivers/staging/iio/iio_simple_dummy_buffer.c
+++ b/drivers/staging/iio/iio_simple_dummy_buffer.c
@@ -126,7 +126,8 @@ static const struct iio_buffer_setup_ops iio_simple_dummy_buffer_setup_ops = {
.predisable = &iio_triggered_buffer_predisable,
};
-int iio_simple_dummy_configure_buffer(struct iio_dev *indio_dev)
+int iio_simple_dummy_configure_buffer(struct iio_dev *indio_dev,
+ const struct iio_chan_spec *channels, unsigned int num_channels)
{
int ret;
struct iio_buffer *buffer;
@@ -182,8 +183,15 @@ int iio_simple_dummy_configure_buffer(struct iio_dev *indio_dev)
* driven by a trigger.
*/
indio_dev->modes |= INDIO_BUFFER_TRIGGERED;
+
+ ret = iio_buffer_register(indio_dev, channels, num_channels);
+ if (ret)
+ goto error_dealloc_pollfunc;
+
return 0;
+error_dealloc_pollfunc:
+ iio_dealloc_pollfunc(indio_dev->pollfunc);
error_free_buffer:
iio_kfifo_free(indio_dev->buffer);
error_ret:
@@ -197,6 +205,7 @@ error_ret:
*/
void iio_simple_dummy_unconfigure_buffer(struct iio_dev *indio_dev)
{
+ iio_buffer_unregister(indio_dev);
iio_dealloc_pollfunc(indio_dev->pollfunc);
iio_kfifo_free(indio_dev->buffer);
}