Commit b9b64e6e authored by David S. Miller's avatar David S. Miller

[OPENPROMIO]: Handle current_node being NULL correctly.

If the user tries to traverse to the next node of the
last node, we get NULL in current_node and a zero phandle
returned.  That's fine, but if the user tries to obtain
properties in that state, we try to dereference a NULL
pointer in the downcall to the of_*() routines.

So protect against that.
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 803db244
...@@ -145,8 +145,9 @@ static int opromgetprop(void __user *argp, struct device_node *dp, struct openpr ...@@ -145,8 +145,9 @@ static int opromgetprop(void __user *argp, struct device_node *dp, struct openpr
void *pval; void *pval;
int len; int len;
pval = of_get_property(dp, op->oprom_array, &len); if (!dp ||
if (!pval || len <= 0 || len > bufsize) !(pval = of_get_property(dp, op->oprom_array, &len)) ||
len <= 0 || len > bufsize)
return copyout(argp, op, sizeof(int)); return copyout(argp, op, sizeof(int));
memcpy(op->oprom_array, pval, len); memcpy(op->oprom_array, pval, len);
...@@ -161,6 +162,8 @@ static int opromnxtprop(void __user *argp, struct device_node *dp, struct openpr ...@@ -161,6 +162,8 @@ static int opromnxtprop(void __user *argp, struct device_node *dp, struct openpr
struct property *prop; struct property *prop;
int len; int len;
if (!dp)
return copyout(argp, op, sizeof(int));
if (op->oprom_array[0] == '\0') { if (op->oprom_array[0] == '\0') {
prop = dp->properties; prop = dp->properties;
if (!prop) if (!prop)
...@@ -266,9 +269,13 @@ static int oprompci2node(void __user *argp, struct device_node *dp, struct openp ...@@ -266,9 +269,13 @@ static int oprompci2node(void __user *argp, struct device_node *dp, struct openp
static int oprompath2node(void __user *argp, struct device_node *dp, struct openpromio *op, int bufsize, DATA *data) static int oprompath2node(void __user *argp, struct device_node *dp, struct openpromio *op, int bufsize, DATA *data)
{ {
phandle ph = 0;
dp = of_find_node_by_path(op->oprom_array); dp = of_find_node_by_path(op->oprom_array);
if (dp)
ph = dp->node;
data->current_node = dp; data->current_node = dp;
*((int *)op->oprom_array) = dp->node; *((int *)op->oprom_array) = ph;
op->oprom_size = sizeof(int); op->oprom_size = sizeof(int);
return copyout(argp, op, bufsize + sizeof(int)); return copyout(argp, op, bufsize + sizeof(int));
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment