Commit b9b64e6e89fc5a6ef220747115c5b7764614ca3f
1 parent
803db244b9
[OPENPROMIO]: Handle current_node being NULL correctly.
If the user tries to traverse to the next node of the last node, we get NULL in current_node and a zero phandle returned. That's fine, but if the user tries to obtain properties in that state, we try to dereference a NULL pointer in the downcall to the of_*() routines. So protect against that. Signed-off-by: David S. Miller <davem@davemloft.net>
Showing 1 changed file with 10 additions and 3 deletions Side-by-side Diff
drivers/sbus/char/openprom.c
| ... | ... | @@ -145,8 +145,9 @@ |
| 145 | 145 | void *pval; |
| 146 | 146 | int len; |
| 147 | 147 | |
| 148 | - pval = of_get_property(dp, op->oprom_array, &len); | |
| 149 | - if (!pval || len <= 0 || len > bufsize) | |
| 148 | + if (!dp || | |
| 149 | + !(pval = of_get_property(dp, op->oprom_array, &len)) || | |
| 150 | + len <= 0 || len > bufsize) | |
| 150 | 151 | return copyout(argp, op, sizeof(int)); |
| 151 | 152 | |
| 152 | 153 | memcpy(op->oprom_array, pval, len); |
| ... | ... | @@ -161,6 +162,8 @@ |
| 161 | 162 | struct property *prop; |
| 162 | 163 | int len; |
| 163 | 164 | |
| 165 | + if (!dp) | |
| 166 | + return copyout(argp, op, sizeof(int)); | |
| 164 | 167 | if (op->oprom_array[0] == '\0') { |
| 165 | 168 | prop = dp->properties; |
| 166 | 169 | if (!prop) |
| 167 | 170 | |
| 168 | 171 | |
| ... | ... | @@ -266,9 +269,13 @@ |
| 266 | 269 | |
| 267 | 270 | static int oprompath2node(void __user *argp, struct device_node *dp, struct openpromio *op, int bufsize, DATA *data) |
| 268 | 271 | { |
| 272 | + phandle ph = 0; | |
| 273 | + | |
| 269 | 274 | dp = of_find_node_by_path(op->oprom_array); |
| 275 | + if (dp) | |
| 276 | + ph = dp->node; | |
| 270 | 277 | data->current_node = dp; |
| 271 | - *((int *)op->oprom_array) = dp->node; | |
| 278 | + *((int *)op->oprom_array) = ph; | |
| 272 | 279 | op->oprom_size = sizeof(int); |
| 273 | 280 | |
| 274 | 281 | return copyout(argp, op, bufsize + sizeof(int)); |