serial: msm_geni_serial: Fix possible null pointer access with handle_rx (ffe56619) · Commits · e / devices / android_kernel_fairphone_FP4

drivers/tty/serial/msm_geni_serial.c

+11 −4

Original line number	Diff line number	Diff line
		@@ -2116,10 +2116,6 @@ static int msm_geni_serial_port_setup(struct uart_port *uport)
		SE_GENI_RX_PACKING_CFG0);
		geni_write_reg_nolog(cfg1, uport->membase,
		SE_GENI_RX_PACKING_CFG1);
		msm_port->handle_rx = handle_rx_hs;
		msm_port->rx_fifo = devm_kzalloc(uport->dev,
		sizeof(msm_port->rx_fifo_depth * sizeof(u32)),
		GFP_KERNEL);
		if (!msm_port->rx_fifo) {
		ret = -ENOMEM;
		goto exit_portsetup;
		@@ -2647,6 +2643,12 @@ static void msm_geni_serial_cancel_rx(struct uart_port *uport)
		unsigned int irq_status;
		u32 rx_fifo_status;
		u32 rx_fifo_wc;
		u32 geni_status;

		geni_status = geni_read_reg_nolog(uport->membase, SE_GENI_STATUS);
		/* Possible thats stop rx is already done from UEFI end */
		if (!(geni_status & S_GENI_CMD_ACTIVE))
		return;

		geni_cancel_s_cmd(uport->membase);
		/* Ensure this goes through before polling. */
		@@ -3229,6 +3231,11 @@ static int msm_geni_serial_probe(struct platform_device *pdev)
		dev_port->rx_fifo = devm_kzalloc(uport->dev, sizeof(u32),
		GFP_KERNEL);
		} else {
		dev_port->handle_rx = handle_rx_hs;
		dev_port->rx_fifo = devm_kzalloc(uport->dev,
		sizeof(dev_port->rx_fifo_depth * sizeof(u32)),
		GFP_KERNEL);

		pm_runtime_set_suspended(&pdev->dev);
		pm_runtime_set_autosuspend_delay(&pdev->dev, 150);
		pm_runtime_use_autosuspend(&pdev->dev);