Commit 0d87c722 authored by Dmitry Torokhov's avatar Dmitry Torokhov

Input: adp5588-keypad - fix NULL dereference in adp5588_gpio_add()

The kpad structure is assigned to i2c client via i2s_set_clientdata()
at the end of adp5588_probe(), but in adp5588_gpio_add() we tried to
access it (via dev_get_drvdata! which is not nice at all) causing an
oops.

Let's pass pointer to kpad directly into adp5588_gpio_add() and
adp5588_gpio_remove() to avoid accessing driver data before it is
set up.

Also split out building of gpiomap into a separate function to
clear the logic.
Reported-by: default avatarMichael Hennerich <michael.hennerich@analog.com>
Signed-off-by: default avatarDmitry Torokhov <dtor@mail.ru>
parent 60347c19
...@@ -173,41 +173,49 @@ static int adp5588_gpio_direction_output(struct gpio_chip *chip, ...@@ -173,41 +173,49 @@ static int adp5588_gpio_direction_output(struct gpio_chip *chip,
return ret; return ret;
} }
static int __devinit adp5588_gpio_add(struct device *dev) static int __devinit adp5588_build_gpiomap(struct adp5588_kpad *kpad,
const struct adp5588_kpad_platform_data *pdata)
{ {
struct adp5588_kpad *kpad = dev_get_drvdata(dev); bool pin_used[MAXGPIO];
const struct adp5588_kpad_platform_data *pdata = dev->platform_data; int n_unused = 0;
const struct adp5588_gpio_platform_data *gpio_data = pdata->gpio_data; int i;
int i, error;
if (gpio_data) { memset(pin_used, 0, sizeof(pin_used));
int j = 0;
bool pin_used[MAXGPIO];
for (i = 0; i < pdata->rows; i++) for (i = 0; i < pdata->rows; i++)
pin_used[i] = true; pin_used[i] = true;
for (i = 0; i < pdata->cols; i++) for (i = 0; i < pdata->cols; i++)
pin_used[i + GPI_PIN_COL_BASE - GPI_PIN_BASE] = true; pin_used[i + GPI_PIN_COL_BASE - GPI_PIN_BASE] = true;
for (i = 0; i < kpad->gpimapsize; i++) for (i = 0; i < kpad->gpimapsize; i++)
pin_used[kpad->gpimap[i].pin - GPI_PIN_BASE] = true; pin_used[kpad->gpimap[i].pin - GPI_PIN_BASE] = true;
for (i = 0; i < MAXGPIO; i++) { for (i = 0; i < MAXGPIO; i++)
if (!pin_used[i]) if (!pin_used[i])
kpad->gpiomap[j++] = i; kpad->gpiomap[n_unused++] = i;
}
kpad->gc.ngpio = j;
if (kpad->gc.ngpio) return n_unused;
kpad->export_gpio = true; }
}
if (!kpad->export_gpio) { static int __devinit adp5588_gpio_add(struct adp5588_kpad *kpad)
{
struct device *dev = &kpad->client->dev;
const struct adp5588_kpad_platform_data *pdata = dev->platform_data;
const struct adp5588_gpio_platform_data *gpio_data = pdata->gpio_data;
int i, error;
if (!gpio_data)
return 0;
kpad->gc.ngpio = adp5588_build_gpiomap(kpad, pdata);
if (kpad->gc.ngpio == 0) {
dev_info(dev, "No unused gpios left to export\n"); dev_info(dev, "No unused gpios left to export\n");
return 0; return 0;
} }
kpad->export_gpio = true;
kpad->gc.direction_input = adp5588_gpio_direction_input; kpad->gc.direction_input = adp5588_gpio_direction_input;
kpad->gc.direction_output = adp5588_gpio_direction_output; kpad->gc.direction_output = adp5588_gpio_direction_output;
kpad->gc.get = adp5588_gpio_get_value; kpad->gc.get = adp5588_gpio_get_value;
...@@ -243,9 +251,9 @@ static int __devinit adp5588_gpio_add(struct device *dev) ...@@ -243,9 +251,9 @@ static int __devinit adp5588_gpio_add(struct device *dev)
return 0; return 0;
} }
static void __devexit adp5588_gpio_remove(struct device *dev) static void __devexit adp5588_gpio_remove(struct adp5588_kpad *kpad)
{ {
struct adp5588_kpad *kpad = dev_get_drvdata(dev); struct device *dev = &kpad->client->dev;
const struct adp5588_kpad_platform_data *pdata = dev->platform_data; const struct adp5588_kpad_platform_data *pdata = dev->platform_data;
const struct adp5588_gpio_platform_data *gpio_data = pdata->gpio_data; const struct adp5588_gpio_platform_data *gpio_data = pdata->gpio_data;
int error; int error;
...@@ -266,12 +274,12 @@ static void __devexit adp5588_gpio_remove(struct device *dev) ...@@ -266,12 +274,12 @@ static void __devexit adp5588_gpio_remove(struct device *dev)
dev_warn(dev, "gpiochip_remove failed %d\n", error); dev_warn(dev, "gpiochip_remove failed %d\n", error);
} }
#else #else
static inline int adp5588_gpio_add(struct device *dev) static inline int adp5588_gpio_add(struct adp5588_kpad *kpad)
{ {
return 0; return 0;
} }
static inline void adp5588_gpio_remove(struct device *dev) static inline void adp5588_gpio_remove(struct adp5588_kpad *kpad)
{ {
} }
#endif #endif
...@@ -581,7 +589,7 @@ static int __devinit adp5588_probe(struct i2c_client *client, ...@@ -581,7 +589,7 @@ static int __devinit adp5588_probe(struct i2c_client *client,
if (kpad->gpimapsize) if (kpad->gpimapsize)
adp5588_report_switch_state(kpad); adp5588_report_switch_state(kpad);
error = adp5588_gpio_add(&client->dev); error = adp5588_gpio_add(kpad);
if (error) if (error)
goto err_free_irq; goto err_free_irq;
...@@ -611,7 +619,7 @@ static int __devexit adp5588_remove(struct i2c_client *client) ...@@ -611,7 +619,7 @@ static int __devexit adp5588_remove(struct i2c_client *client)
free_irq(client->irq, kpad); free_irq(client->irq, kpad);
cancel_delayed_work_sync(&kpad->work); cancel_delayed_work_sync(&kpad->work);
input_unregister_device(kpad->input); input_unregister_device(kpad->input);
adp5588_gpio_remove(&client->dev); adp5588_gpio_remove(kpad);
kfree(kpad); kfree(kpad);
return 0; return 0;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment