iio: inv_mpu6050: Fix use-after-free in ACPI code

In some cases this can result in incorrectly returning a negative value from asus_acpi_get_sensor_info and the AK8963 magnetometer failing to show up. Note cpm is an alias for buffer.pointer which isn't apparent in this patch on it's own. Cc: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com> Signed-off-by: Crestez Dan Leonard <leonard.crestez@intel.com> Acked-by: Daniel Baluta <daniel.baluta@intel.com> Signed-off-by: Jonathan Cameron <jic23@kernel.org>
author: Crestez Dan Leonard <leonard.crestez@intel.com> 2016-06-03 14:30:24 -0400
committer: Jonathan Cameron <jic23@kernel.org> 2016-06-11 12:20:27 -0400
commit: 6e85dbe4b461e59fa3cad6f6235cb47fa4c6a629 (patch)
tree: dc8e9b4c1756106839dc3640112f67c4e0750996
parent: a9cc4006155a68dd0940728f4f222dd035180904 (diff)
1 files changed, 3 insertions, 2 deletions
diff --git a/drivers/iio/imu/inv_mpu6050/inv_mpu_acpi.c b/drivers/iio/imu/inv_mpu6050/inv_mpu_acpi.c
index f62b8bd9ad7e..dd6fc6d21f9d 100644
--- a/drivers/iio/imu/inv_mpu6050/inv_mpu_acpi.c
+++ b/drivers/iio/imu/inv_mpu6050/inv_mpu_acpi.c
@@ -56,6 +56,7 @@ static int asus_acpi_get_sensor_info(struct acpi_device *adev,
        int i;
        acpi_status status;
        union acpi_object *cpm;
+        int ret;
        status = acpi_evaluate_object(adev->handle, "CNF0", NULL, &buffer);
        if (ACPI_FAILURE(status))
@@ -82,10 +83,10 @@ static int asus_acpi_get_sensor_info(struct acpi_device *adev,
                        }
                }
        }
+        ret = cpm->package.count;
        kfree(buffer.pointer);
-        return cpm->package.count;
+        return ret;
 }
 static int acpi_i2c_check_resource(struct acpi_resource *ares, void *data)
author	Crestez Dan Leonard <leonard.crestez@intel.com>	2016-06-03 14:30:24 -0400
committer	Jonathan Cameron <jic23@kernel.org>	2016-06-11 12:20:27 -0400
commit	6e85dbe4b461e59fa3cad6f6235cb47fa4c6a629 (patch)
tree	dc8e9b4c1756106839dc3640112f67c4e0750996
parent	a9cc4006155a68dd0940728f4f222dd035180904 (diff)

diff --git a/drivers/iio/imu/inv_mpu6050/inv_mpu_acpi.c b/drivers/iio/imu/inv_mpu6050/inv_mpu_acpi.c index f62b8bd9ad7e..dd6fc6d21f9d 100644 --- a/drivers/iio/imu/inv_mpu6050/inv_mpu_acpi.c +++ b/drivers/iio/imu/inv_mpu6050/inv_mpu_acpi.c
@@ -56,6 +56,7 @@ static int asus_acpi_get_sensor_info(struct acpi_device *adev,
56	int i;	56	int i;
57	acpi_status status;	57	acpi_status status;
58	union acpi_object *cpm;	58	union acpi_object *cpm;
		59	int ret;
59		60
60	status = acpi_evaluate_object(adev->handle, "CNF0", NULL, &buffer);	61	status = acpi_evaluate_object(adev->handle, "CNF0", NULL, &buffer);
61	if (ACPI_FAILURE(status))	62	if (ACPI_FAILURE(status))
@@ -82,10 +83,10 @@ static int asus_acpi_get_sensor_info(struct acpi_device *adev,
82	}	83	}
83	}	84	}
84	}	85	}
85		86	ret = cpm->package.count;
86	kfree(buffer.pointer);	87	kfree(buffer.pointer);
87		88
88	return cpm->package.count;	89	return ret;
89	}	90	}
90		91
91	static int acpi_i2c_check_resource(struct acpi_resource ares, void data)	92	static int acpi_i2c_check_resource(struct acpi_resource ares, void data)