From 438580723acc054b95ae5ae205bea3d9da0e4092 Mon Sep 17 00:00:00 2001 From: Wayne Zou Date: Thu, 14 Jul 2011 09:58:04 +0800 Subject: ENGR00153090 DA9053: fix a kernel crash during probe da9053 regulator driver Rootcause: It's memory overflow and overwrite some other memory space by da9053 drver. The code does not allocate memory for priv->regulators, which will cause the following code priv->regulators[i] = regulator_register(.. overwrite other memory place. Signed-off-by: Wayne Zou --- drivers/regulator/da9052-regulator.c | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) (limited to 'drivers') diff --git a/drivers/regulator/da9052-regulator.c b/drivers/regulator/da9052-regulator.c index 34452839570c..bb770d41c626 100644 --- a/drivers/regulator/da9052-regulator.c +++ b/drivers/regulator/da9052-regulator.c @@ -59,7 +59,7 @@ struct regulator { .mask_bits = (mbits),\ .en_bit_mask = (cbits),\ } - +#define DA9052_MAX_REGULATORS (14) struct regulator_info { struct regulator_desc reg_desc; struct regulation_constraints reg_const; @@ -478,18 +478,24 @@ static int __devinit da9052_regulator_probe(struct platform_device *pdev) (pdev->dev.platform_data); struct da9052 *da9052 = dev_get_drvdata(pdev->dev.parent); struct regulator_init_data *init_data; + struct da9052_platform_data *da9052_pdata = da9052->dev->platform_data; int i, ret = 0; - priv = kzalloc(sizeof(*priv), GFP_KERNEL); + if ((da9052_pdata == NULL) || + (da9052_pdata->num_regulators > DA9052_MAX_REGULATORS) || + (da9052_pdata->num_regulators <= 0)) + return -EINVAL; + + priv = kzalloc(sizeof(*priv) + sizeof(priv->regulators[0]) * + da9052_pdata->num_regulators, GFP_KERNEL); if (priv == NULL) return -ENOMEM; priv->da9052 = da9052; - for (i = 0; i < 14; i++) { + for (i = 0; i < da9052_pdata->num_regulators; i++) { init_data = &pdata->regulators[i]; init_data->driver_data = da9052; - pdev->dev.platform_data = init_data; priv->regulators[i] = regulator_register( &da9052_regulators[i].reg_desc, &pdev->dev, init_data, -- cgit v1.2.3