diff options
author | Viresh Kumar <viresh.kumar@linaro.org> | 2016-02-12 16:08:27 +0530 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@google.com> | 2016-02-15 14:51:20 -0800 |
commit | 2554eda5756a37118ab310bd02de78491303ab5f (patch) | |
tree | 687be3ed9dbdb5cefe86b5bd281ab3ed3525303a /drivers/staging | |
parent | c463593c3dbc8d4dcb132538b0116256fa0cc455 (diff) |
greybus: raw: Don't use (possibly) uninitialized raw->device in gb_raw_receive()
If an incoming request comes on the connection, before the driver has
allocated its raw->device in gb_raw_connection_init(), then it might
result in a crash while printing error messages.
Fix that by using bundle->dev for printing error messages.
Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
Reviewed-by: Johan Hovold <johan@hovoldconsulting.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Diffstat (limited to 'drivers/staging')
-rw-r--r-- | drivers/staging/greybus/raw.c | 17 |
1 files changed, 8 insertions, 9 deletions
diff --git a/drivers/staging/greybus/raw.c b/drivers/staging/greybus/raw.c index d2e0281e86c5..ed17ba3ca0b3 100644 --- a/drivers/staging/greybus/raw.c +++ b/drivers/staging/greybus/raw.c @@ -57,17 +57,17 @@ static DEFINE_IDA(minors); static int receive_data(struct gb_raw *raw, u32 len, u8 *data) { struct raw_data *raw_data; + struct device *dev = &raw->connection->bundle->dev; int retval = 0; if (len > MAX_PACKET_SIZE) { - dev_err(raw->device, "Too big of a data packet, rejected\n"); + dev_err(dev, "Too big of a data packet, rejected\n"); return -EINVAL; } mutex_lock(&raw->list_lock); if ((raw->list_data + len) > MAX_DATA_SIZE) { - dev_err(raw->device, - "Too much data in receive buffer, now dropping packets\n"); + dev_err(dev, "Too much data in receive buffer, now dropping packets\n"); retval = -EINVAL; goto exit; } @@ -91,32 +91,31 @@ exit: static int gb_raw_receive(u8 type, struct gb_operation *op) { struct gb_connection *connection = op->connection; + struct device *dev = &connection->bundle->dev; struct gb_raw *raw = connection->private; struct gb_raw_send_request *receive; u32 len; if (type != GB_RAW_TYPE_SEND) { - dev_err(raw->device, "unknown request type %d\n", type); + dev_err(dev, "unknown request type %d\n", type); return -EINVAL; } /* Verify size of payload */ if (op->request->payload_size < sizeof(*receive)) { - dev_err(raw->device, "raw receive request too small (%zu < %zu)\n", + dev_err(dev, "raw receive request too small (%zu < %zu)\n", op->request->payload_size, sizeof(*receive)); return -EINVAL; } receive = op->request->payload; len = le32_to_cpu(receive->len); if (len != (int)(op->request->payload_size - sizeof(__le32))) { - dev_err(raw->device, - "raw receive request wrong size %d vs %d\n", - len, + dev_err(dev, "raw receive request wrong size %d vs %d\n", len, (int)(op->request->payload_size - sizeof(__le32))); return -EINVAL; } if (len == 0) { - dev_err(raw->device, "raw receive request of 0 bytes?\n"); + dev_err(dev, "raw receive request of 0 bytes?\n"); return -EINVAL; } |