diff options
author | Dmitry Torokhov <dmitry.torokhov@gmail.com> | 2010-08-02 18:33:26 -0700 |
---|---|---|
committer | Dmitry Torokhov <dmitry.torokhov@gmail.com> | 2010-08-02 18:34:07 -0700 |
commit | 0d87c7228a49e8342d60dd552892e470e0b291fa (patch) | |
tree | 1282bcec7d8360d9f49b122fd3dca73f2787f47c /drivers/input | |
parent | 60347c194acec7ff1b4291ac8e62a5345244c2ee (diff) | |
download | op-kernel-dev-0d87c7228a49e8342d60dd552892e470e0b291fa.zip op-kernel-dev-0d87c7228a49e8342d60dd552892e470e0b291fa.tar.gz |
Input: adp5588-keypad - fix NULL dereference in adp5588_gpio_add()
The kpad structure is assigned to i2c client via i2s_set_clientdata()
at the end of adp5588_probe(), but in adp5588_gpio_add() we tried to
access it (via dev_get_drvdata! which is not nice at all) causing an
oops.
Let's pass pointer to kpad directly into adp5588_gpio_add() and
adp5588_gpio_remove() to avoid accessing driver data before it is
set up.
Also split out building of gpiomap into a separate function to
clear the logic.
Reported-by: Michael Hennerich <michael.hennerich@analog.com>
Signed-off-by: Dmitry Torokhov <dtor@mail.ru>
Diffstat (limited to 'drivers/input')
-rw-r--r-- | drivers/input/keyboard/adp5588-keys.c | 66 |
1 files changed, 37 insertions, 29 deletions
diff --git a/drivers/input/keyboard/adp5588-keys.c b/drivers/input/keyboard/adp5588-keys.c index c39ec93..d6918cb 100644 --- a/drivers/input/keyboard/adp5588-keys.c +++ b/drivers/input/keyboard/adp5588-keys.c @@ -173,41 +173,49 @@ static int adp5588_gpio_direction_output(struct gpio_chip *chip, return ret; } -static int __devinit adp5588_gpio_add(struct device *dev) +static int __devinit adp5588_build_gpiomap(struct adp5588_kpad *kpad, + const struct adp5588_kpad_platform_data *pdata) { - struct adp5588_kpad *kpad = dev_get_drvdata(dev); - const struct adp5588_kpad_platform_data *pdata = dev->platform_data; - const struct adp5588_gpio_platform_data *gpio_data = pdata->gpio_data; - int i, error; + bool pin_used[MAXGPIO]; + int n_unused = 0; + int i; - if (gpio_data) { - int j = 0; - bool pin_used[MAXGPIO]; + memset(pin_used, 0, sizeof(pin_used)); - for (i = 0; i < pdata->rows; i++) - pin_used[i] = true; + for (i = 0; i < pdata->rows; i++) + pin_used[i] = true; - for (i = 0; i < pdata->cols; i++) - pin_used[i + GPI_PIN_COL_BASE - GPI_PIN_BASE] = true; + for (i = 0; i < pdata->cols; i++) + pin_used[i + GPI_PIN_COL_BASE - GPI_PIN_BASE] = true; - for (i = 0; i < kpad->gpimapsize; i++) - pin_used[kpad->gpimap[i].pin - GPI_PIN_BASE] = true; + for (i = 0; i < kpad->gpimapsize; i++) + pin_used[kpad->gpimap[i].pin - GPI_PIN_BASE] = true; - for (i = 0; i < MAXGPIO; i++) { - if (!pin_used[i]) - kpad->gpiomap[j++] = i; - } - kpad->gc.ngpio = j; + for (i = 0; i < MAXGPIO; i++) + if (!pin_used[i]) + kpad->gpiomap[n_unused++] = i; - if (kpad->gc.ngpio) - kpad->export_gpio = true; - } + return n_unused; +} - if (!kpad->export_gpio) { +static int __devinit adp5588_gpio_add(struct adp5588_kpad *kpad) +{ + struct device *dev = &kpad->client->dev; + const struct adp5588_kpad_platform_data *pdata = dev->platform_data; + const struct adp5588_gpio_platform_data *gpio_data = pdata->gpio_data; + int i, error; + + if (!gpio_data) + return 0; + + kpad->gc.ngpio = adp5588_build_gpiomap(kpad, pdata); + if (kpad->gc.ngpio == 0) { dev_info(dev, "No unused gpios left to export\n"); return 0; } + kpad->export_gpio = true; + kpad->gc.direction_input = adp5588_gpio_direction_input; kpad->gc.direction_output = adp5588_gpio_direction_output; kpad->gc.get = adp5588_gpio_get_value; @@ -243,9 +251,9 @@ static int __devinit adp5588_gpio_add(struct device *dev) return 0; } -static void __devexit adp5588_gpio_remove(struct device *dev) +static void __devexit adp5588_gpio_remove(struct adp5588_kpad *kpad) { - struct adp5588_kpad *kpad = dev_get_drvdata(dev); + struct device *dev = &kpad->client->dev; const struct adp5588_kpad_platform_data *pdata = dev->platform_data; const struct adp5588_gpio_platform_data *gpio_data = pdata->gpio_data; int error; @@ -266,12 +274,12 @@ static void __devexit adp5588_gpio_remove(struct device *dev) dev_warn(dev, "gpiochip_remove failed %d\n", error); } #else -static inline int adp5588_gpio_add(struct device *dev) +static inline int adp5588_gpio_add(struct adp5588_kpad *kpad) { return 0; } -static inline void adp5588_gpio_remove(struct device *dev) +static inline void adp5588_gpio_remove(struct adp5588_kpad *kpad) { } #endif @@ -581,7 +589,7 @@ static int __devinit adp5588_probe(struct i2c_client *client, if (kpad->gpimapsize) adp5588_report_switch_state(kpad); - error = adp5588_gpio_add(&client->dev); + error = adp5588_gpio_add(kpad); if (error) goto err_free_irq; @@ -611,7 +619,7 @@ static int __devexit adp5588_remove(struct i2c_client *client) free_irq(client->irq, kpad); cancel_delayed_work_sync(&kpad->work); input_unregister_device(kpad->input); - adp5588_gpio_remove(&client->dev); + adp5588_gpio_remove(kpad); kfree(kpad); return 0; |