Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 0d87c722 authored by Dmitry Torokhov's avatar Dmitry Torokhov
Browse files

Input: adp5588-keypad - fix NULL dereference in adp5588_gpio_add() 



The kpad structure is assigned to i2c client via i2s_set_clientdata()
at the end of adp5588_probe(), but in adp5588_gpio_add() we tried to
access it (via dev_get_drvdata! which is not nice at all) causing an
oops.

Let's pass pointer to kpad directly into adp5588_gpio_add() and
adp5588_gpio_remove() to avoid accessing driver data before it is
set up.

Also split out building of gpiomap into a separate function to
clear the logic.

Reported-by: default avatarMichael Hennerich <michael.hennerich@analog.com>
Signed-off-by: default avatarDmitry Torokhov <dtor@mail.ru>
parent 60347c19

drivers/input/keyboard/adp5588-keys.c

+37 −29
Original line number Diff line number Diff line
@@ -173,16 +173,14 @@ static int adp5588_gpio_direction_output(struct gpio_chip *chip, 
	return ret;

}



static int __devinit adp5588_gpio_add(struct device *dev)

static int __devinit adp5588_build_gpiomap(struct adp5588_kpad *kpad,

				const struct adp5588_kpad_platform_data *pdata)

{

	struct adp5588_kpad *kpad = dev_get_drvdata(dev);

	const struct adp5588_kpad_platform_data *pdata = dev->platform_data;

	const struct adp5588_gpio_platform_data *gpio_data = pdata->gpio_data;

	int i, error;



	if (gpio_data) {

		int j = 0;

	bool pin_used[MAXGPIO];

	int n_unused = 0;

	int i;



	memset(pin_used, 0, sizeof(pin_used));



	for (i = 0; i < pdata->rows; i++)

		pin_used[i] = true;
@@ -193,21 +191,31 @@ static int __devinit adp5588_gpio_add(struct device *dev) 
	for (i = 0; i < kpad->gpimapsize; i++)

		pin_used[kpad->gpimap[i].pin - GPI_PIN_BASE] = true;



		for (i = 0; i < MAXGPIO; i++) {

	for (i = 0; i < MAXGPIO; i++)

		if (!pin_used[i])

				kpad->gpiomap[j++] = i;

		}

		kpad->gc.ngpio = j;

			kpad->gpiomap[n_unused++] = i;



		if (kpad->gc.ngpio)

			kpad->export_gpio = true;

	return n_unused;

}



	if (!kpad->export_gpio) {

static int __devinit adp5588_gpio_add(struct adp5588_kpad *kpad)

{

	struct device *dev = &kpad->client->dev;

	const struct adp5588_kpad_platform_data *pdata = dev->platform_data;

	const struct adp5588_gpio_platform_data *gpio_data = pdata->gpio_data;

	int i, error;



	if (!gpio_data)

		return 0;



	kpad->gc.ngpio = adp5588_build_gpiomap(kpad, pdata);

	if (kpad->gc.ngpio == 0) {

		dev_info(dev, "No unused gpios left to export\n");

		return 0;

	}



	kpad->export_gpio = true;



	kpad->gc.direction_input = adp5588_gpio_direction_input;

	kpad->gc.direction_output = adp5588_gpio_direction_output;

	kpad->gc.get = adp5588_gpio_get_value;
@@ -243,9 +251,9 @@ static int __devinit adp5588_gpio_add(struct device *dev) 
	return 0;

}



static void __devexit adp5588_gpio_remove(struct device *dev)

static void __devexit adp5588_gpio_remove(struct adp5588_kpad *kpad)

{

	struct adp5588_kpad *kpad = dev_get_drvdata(dev);

	struct device *dev = &kpad->client->dev;

	const struct adp5588_kpad_platform_data *pdata = dev->platform_data;

	const struct adp5588_gpio_platform_data *gpio_data = pdata->gpio_data;

	int error;
@@ -266,12 +274,12 @@ static void __devexit adp5588_gpio_remove(struct device *dev) 
		dev_warn(dev, "gpiochip_remove failed %d\n", error);

}

#else

static inline int adp5588_gpio_add(struct device *dev)

static inline int adp5588_gpio_add(struct adp5588_kpad *kpad)

{

	return 0;

}



static inline void adp5588_gpio_remove(struct device *dev)

static inline void adp5588_gpio_remove(struct adp5588_kpad *kpad)

{

}

#endif
@@ -581,7 +589,7 @@ static int __devinit adp5588_probe(struct i2c_client *client, 
	if (kpad->gpimapsize)

		adp5588_report_switch_state(kpad);



	error = adp5588_gpio_add(&client->dev);

	error = adp5588_gpio_add(kpad);

	if (error)

		goto err_free_irq;
@@ -611,7 +619,7 @@ static int __devexit adp5588_remove(struct i2c_client *client) 
	free_irq(client->irq, kpad);

	cancel_delayed_work_sync(&kpad->work);

	input_unregister_device(kpad->input);

	adp5588_gpio_remove(&client->dev);

	adp5588_gpio_remove(kpad);

	kfree(kpad);



	return 0;