Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit b9b64e6e authored by David S. Miller's avatar David S. Miller
Browse files

[OPENPROMIO]: Handle current_node being NULL correctly. 



If the user tries to traverse to the next node of the
last node, we get NULL in current_node and a zero phandle
returned.  That's fine, but if the user tries to obtain
properties in that state, we try to dereference a NULL
pointer in the downcall to the of_*() routines.

So protect against that.

Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 803db244

drivers/sbus/char/openprom.c

+10 −3
Original line number Diff line number Diff line
@@ -145,8 +145,9 @@ static int opromgetprop(void __user *argp, struct device_node *dp, struct openpr 
	void *pval;

	int len;



	pval = of_get_property(dp, op->oprom_array, &len);

	if (!pval || len <= 0 || len > bufsize)

	if (!dp ||

	    !(pval = of_get_property(dp, op->oprom_array, &len)) ||

	    len <= 0 || len > bufsize)

		return copyout(argp, op, sizeof(int));



	memcpy(op->oprom_array, pval, len);
@@ -161,6 +162,8 @@ static int opromnxtprop(void __user *argp, struct device_node *dp, struct openpr 
	struct property *prop;

	int len;



	if (!dp)

		return copyout(argp, op, sizeof(int));

	if (op->oprom_array[0] == '\0') {

		prop = dp->properties;

		if (!prop)
@@ -266,9 +269,13 @@ static int oprompci2node(void __user *argp, struct device_node *dp, struct openp 


static int oprompath2node(void __user *argp, struct device_node *dp, struct openpromio *op, int bufsize, DATA *data)

{

	phandle ph = 0;



	dp = of_find_node_by_path(op->oprom_array);

	if (dp)

		ph = dp->node;

	data->current_node = dp;

	*((int *)op->oprom_array) = dp->node;

	*((int *)op->oprom_array) = ph;

	op->oprom_size = sizeof(int);



	return copyout(argp, op, bufsize + sizeof(int));