[PATCH] staging: most: don't access hdm_ch before checking it valid
In try_start_dim_transfer(), pointer hdm_ch is accessed before checking.
This may lead to a potential null pointer dereference. Fix this by
dereferencing hdm_ch after calling BUG_ON().
Signed-off-by: Jing Xiangfeng
---
drivers/staging/most/dim2/dim2.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/staging/most/dim2/dim2.c b/drivers/staging/most/dim2/dim2.c
index 509c8012d20b..ccd7cc7545e4 100644
--- a/drivers/staging/most/dim2/dim2.c
+++ b/drivers/staging/most/dim2/dim2.c
@@ -148,7 +148,7 @@ void dimcb_on_error(u8 error_id, const char *error_message)
static int try_start_dim_transfer(struct hdm_channel *hdm_ch)
{
u16 buf_size;
- struct list_head *head = &hdm_ch->pending_list;
+ struct list_head *head;
struct mbo *mbo;
unsigned long flags;
struct dim_ch_state_t st;
@@ -156,6 +156,7 @@ static int try_start_dim_transfer(struct hdm_channel
*hdm_ch)
BUG_ON(!hdm_ch);
BUG_ON(!hdm_ch->is_initialized);
+ head = &hdm_ch->pending_list;
spin_lock_irqsave(&dim_lock, flags);
if (list_empty(head)) {
spin_unlock_irqrestore(&dim_lock, flags);
--
2.17.1
___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
Re: [PATCH] staging: most: don't access hdm_ch before checking it valid
On 2020/9/28 19:48, Dan Carpenter wrote:
On Mon, Sep 28, 2020 at 06:48:38PM +0800, Jing Xiangfeng wrote:
In try_start_dim_transfer(), pointer hdm_ch is accessed before checking.
This may lead to a potential null pointer dereference. Fix this by
dereferencing hdm_ch after calling BUG_ON().
Signed-off-by: Jing Xiangfeng
---
drivers/staging/most/dim2/dim2.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/staging/most/dim2/dim2.c b/drivers/staging/most/dim2/dim2.c
index 509c8012d20b..ccd7cc7545e4 100644
--- a/drivers/staging/most/dim2/dim2.c
+++ b/drivers/staging/most/dim2/dim2.c
@@ -148,7 +148,7 @@ void dimcb_on_error(u8 error_id, const char *error_message)
static int try_start_dim_transfer(struct hdm_channel *hdm_ch)
{
u16 buf_size;
- struct list_head *head = &hdm_ch->pending_list;
This is not a dereference, it's just pointer math. In other words:
struct list_head *head = hdm_ch + offsetof(struct hdm_channel,
pending_list);
Thanks for correcting!
So the commit message is wrong because this cannot lead to a NULL
dereference. It's better to just delete the BUG_ON(). We don't really
like BUG_ON(). Checkpatch will complain about them. An Oops gives
basically the same information as a BUG_ON() without completely killing
the kernel so just dereferencing a NULL is preferable. Finally, we can
see from the callers that "hdm_ch" is never NULL.
regards,
dan carpenter
.
___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
[PATCH] staging: mfd: hi6421-spmi-pmic: Fix error return in hi6421_spmi_pmic_probe()
Fix to return error code -ENOMEM from the error handling case instead
of 0.
Signed-off-by: Jing Xiangfeng
---
drivers/staging/hikey9xx/hi6421-spmi-pmic.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/staging/hikey9xx/hi6421-spmi-pmic.c
b/drivers/staging/hikey9xx/hi6421-spmi-pmic.c
index 64b30d263c8d..4f34a5282970 100644
--- a/drivers/staging/hikey9xx/hi6421-spmi-pmic.c
+++ b/drivers/staging/hikey9xx/hi6421-spmi-pmic.c
@@ -262,8 +262,10 @@ static int hi6421_spmi_pmic_probe(struct spmi_device *pdev)
hi6421_spmi_pmic_irq_prc(pmic);
pmic->irqs = devm_kzalloc(dev, HISI_IRQ_NUM * sizeof(int), GFP_KERNEL);
- if (!pmic->irqs)
+ if (!pmic->irqs) {
+ ret = -ENOMEM;
goto irq_malloc;
+ }
pmic->domain = irq_domain_add_simple(np, HISI_IRQ_NUM, 0,
&hi6421_spmi_domain_ops, pmic);
--
2.26.0.106.g9fadedd
___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
[PATCH] staging: fieldbus: anybuss: jump to correct label in an error path
In current code, controller_probe() misses to call ida_simple_remove()
in an error path. Jump to correct label to fix it.
Fixes: 17614978ed34 ("staging: fieldbus: anybus-s: support the Arcx anybus
controller")
Signed-off-by: Jing Xiangfeng
---
drivers/staging/fieldbus/anybuss/arcx-anybus.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/staging/fieldbus/anybuss/arcx-anybus.c
b/drivers/staging/fieldbus/anybuss/arcx-anybus.c
index 5b8d0bae9ff3..b5fded15e8a6 100644
--- a/drivers/staging/fieldbus/anybuss/arcx-anybus.c
+++ b/drivers/staging/fieldbus/anybuss/arcx-anybus.c
@@ -293,7 +293,7 @@ static int controller_probe(struct platform_device *pdev)
regulator = devm_regulator_register(dev, &can_power_desc, &config);
if (IS_ERR(regulator)) {
err = PTR_ERR(regulator);
- goto out_reset;
+ goto out_ida;
}
/* make controller info visible to userspace */
cd->class_dev = kzalloc(sizeof(*cd->class_dev), GFP_KERNEL);
--
2.17.1
___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
[PATCH] staging: gasket: interrupt: fix the missed eventfd_ctx_put() in gasket_interrupt.c
gasket_interrupt_set_eventfd() misses to call eventfd_ctx_put() in an
error path. We check interrupt is valid before calling
eventfd_ctx_fdget() to fix it.
There is the same issue in gasket_interrupt_clear_eventfd(), Add the
missed function call to fix it.
Fixes: 9a69f5087ccc ("drivers/staging: Gasket driver framework + Apex driver")
Signed-off-by: Jing Xiangfeng
---
drivers/staging/gasket/gasket_interrupt.c | 15 ++-
1 file changed, 10 insertions(+), 5 deletions(-)
diff --git a/drivers/staging/gasket/gasket_interrupt.c
b/drivers/staging/gasket/gasket_interrupt.c
index 2d6195f7300e..864342acfd86 100644
--- a/drivers/staging/gasket/gasket_interrupt.c
+++ b/drivers/staging/gasket/gasket_interrupt.c
@@ -487,14 +487,16 @@ int gasket_interrupt_system_status(struct gasket_dev
*gasket_dev)
int gasket_interrupt_set_eventfd(struct gasket_interrupt_data *interrupt_data,
int interrupt, int event_fd)
{
- struct eventfd_ctx *ctx = eventfd_ctx_fdget(event_fd);
-
- if (IS_ERR(ctx))
- return PTR_ERR(ctx);
+ struct eventfd_ctx *ctx;
if (interrupt < 0 || interrupt >= interrupt_data->num_interrupts)
return -EINVAL;
+ ctx = eventfd_ctx_fdget(event_fd);
+
+ if (IS_ERR(ctx))
+ return PTR_ERR(ctx);
+
interrupt_data->eventfd_ctxs[interrupt] = ctx;
return 0;
}
@@ -505,6 +507,9 @@ int gasket_interrupt_clear_eventfd(struct
gasket_interrupt_data *interrupt_data,
if (interrupt < 0 || interrupt >= interrupt_data->num_interrupts)
return -EINVAL;
- interrupt_data->eventfd_ctxs[interrupt] = NULL;
+ if (interrupt_data->eventfd_ctxs[interrupt]) {
+ eventfd_ctx_put(interrupt_data->eventfd_ctxs[interrupt]);
+ interrupt_data->eventfd_ctxs[interrupt] = NULL;
+ }
return 0;
}
--
2.17.1
___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
[PATCH] staging: olpc_dcon: Do not call platform_device_unregister() in dcon_probe()
In dcon_probe(), when platform_device_add() failes to add the device,
it jumps to call platform_device_unregister() to remove the device,
which is unnecessary. So use platform_device_put() instead.
Fixes: 53c43c5ca133 ("Revert "Staging: olpc_dcon: Remove obsolete driver"")
Signed-off-by: Jing Xiangfeng
---
drivers/staging/olpc_dcon/olpc_dcon.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/staging/olpc_dcon/olpc_dcon.c
b/drivers/staging/olpc_dcon/olpc_dcon.c
index a0d6d90f4cc8..e7281212db5b 100644
--- a/drivers/staging/olpc_dcon/olpc_dcon.c
+++ b/drivers/staging/olpc_dcon/olpc_dcon.c
@@ -659,8 +659,9 @@ static int dcon_probe(struct i2c_client *client, const
struct i2c_device_id *id)
ecreate:
for (j = 0; j < i; j++)
device_remove_file(&dcon_device->dev, &dcon_device_files[j]);
+ platform_device_del(dcon_device);
edev:
- platform_device_unregister(dcon_device);
+ platform_device_put(dcon_device);
dcon_device = NULL;
eirq:
free_irq(DCON_IRQ, dcon);
--
2.17.1
___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
