aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDmitry Torokhov <dmitry.torokhov@gmail.com>2010-08-02 21:33:26 -0400
committerDmitry Torokhov <dmitry.torokhov@gmail.com>2010-08-02 21:34:07 -0400
commit0d87c7228a49e8342d60dd552892e470e0b291fa (patch)
tree1282bcec7d8360d9f49b122fd3dca73f2787f47c
parent60347c194acec7ff1b4291ac8e62a5345244c2ee (diff)
Input: adp5588-keypad - fix NULL dereference in adp5588_gpio_add()
The kpad structure is assigned to i2c client via i2s_set_clientdata() at the end of adp5588_probe(), but in adp5588_gpio_add() we tried to access it (via dev_get_drvdata! which is not nice at all) causing an oops. Let's pass pointer to kpad directly into adp5588_gpio_add() and adp5588_gpio_remove() to avoid accessing driver data before it is set up. Also split out building of gpiomap into a separate function to clear the logic. Reported-by: Michael Hennerich <michael.hennerich@analog.com> Signed-off-by: Dmitry Torokhov <dtor@mail.ru>
-rw-r--r--drivers/input/keyboard/adp5588-keys.c66
1 files changed, 37 insertions, 29 deletions
diff --git a/drivers/input/keyboard/adp5588-keys.c b/drivers/input/keyboard/adp5588-keys.c
index c39ec93c0c5..d6918cb966c 100644
--- a/drivers/input/keyboard/adp5588-keys.c
+++ b/drivers/input/keyboard/adp5588-keys.c
@@ -173,41 +173,49 @@ static int adp5588_gpio_direction_output(struct gpio_chip *chip,
173 return ret; 173 return ret;
174} 174}
175 175
176static int __devinit adp5588_gpio_add(struct device *dev) 176static int __devinit adp5588_build_gpiomap(struct adp5588_kpad *kpad,
177 const struct adp5588_kpad_platform_data *pdata)
177{ 178{
178 struct adp5588_kpad *kpad = dev_get_drvdata(dev); 179 bool pin_used[MAXGPIO];
179 const struct adp5588_kpad_platform_data *pdata = dev->platform_data; 180 int n_unused = 0;
180 const struct adp5588_gpio_platform_data *gpio_data = pdata->gpio_data; 181 int i;
181 int i, error;
182 182
183 if (gpio_data) { 183 memset(pin_used, 0, sizeof(pin_used));
184 int j = 0;
185 bool pin_used[MAXGPIO];
186 184
187 for (i = 0; i < pdata->rows; i++) 185 for (i = 0; i < pdata->rows; i++)
188 pin_used[i] = true; 186 pin_used[i] = true;
189 187
190 for (i = 0; i < pdata->cols; i++) 188 for (i = 0; i < pdata->cols; i++)
191 pin_used[i + GPI_PIN_COL_BASE - GPI_PIN_BASE] = true; 189 pin_used[i + GPI_PIN_COL_BASE - GPI_PIN_BASE] = true;
192 190
193 for (i = 0; i < kpad->gpimapsize; i++) 191 for (i = 0; i < kpad->gpimapsize; i++)
194 pin_used[kpad->gpimap[i].pin - GPI_PIN_BASE] = true; 192 pin_used[kpad->gpimap[i].pin - GPI_PIN_BASE] = true;
195 193
196 for (i = 0; i < MAXGPIO; i++) { 194 for (i = 0; i < MAXGPIO; i++)
197 if (!pin_used[i]) 195 if (!pin_used[i])
198 kpad->gpiomap[j++] = i; 196 kpad->gpiomap[n_unused++] = i;
199 }
200 kpad->gc.ngpio = j;
201 197
202 if (kpad->gc.ngpio) 198 return n_unused;
203 kpad->export_gpio = true; 199}
204 }
205 200
206 if (!kpad->export_gpio) { 201static int __devinit adp5588_gpio_add(struct adp5588_kpad *kpad)
202{
203 struct device *dev = &kpad->client->dev;
204 const struct adp5588_kpad_platform_data *pdata = dev->platform_data;
205 const struct adp5588_gpio_platform_data *gpio_data = pdata->gpio_data;
206 int i, error;
207
208 if (!gpio_data)
209 return 0;
210
211 kpad->gc.ngpio = adp5588_build_gpiomap(kpad, pdata);
212 if (kpad->gc.ngpio == 0) {
207 dev_info(dev, "No unused gpios left to export\n"); 213 dev_info(dev, "No unused gpios left to export\n");
208 return 0; 214 return 0;
209 } 215 }
210 216
217 kpad->export_gpio = true;
218
211 kpad->gc.direction_input = adp5588_gpio_direction_input; 219 kpad->gc.direction_input = adp5588_gpio_direction_input;
212 kpad->gc.direction_output = adp5588_gpio_direction_output; 220 kpad->gc.direction_output = adp5588_gpio_direction_output;
213 kpad->gc.get = adp5588_gpio_get_value; 221 kpad->gc.get = adp5588_gpio_get_value;
@@ -243,9 +251,9 @@ static int __devinit adp5588_gpio_add(struct device *dev)
243 return 0; 251 return 0;
244} 252}
245 253
246static void __devexit adp5588_gpio_remove(struct device *dev) 254static void __devexit adp5588_gpio_remove(struct adp5588_kpad *kpad)
247{ 255{
248 struct adp5588_kpad *kpad = dev_get_drvdata(dev); 256 struct device *dev = &kpad->client->dev;
249 const struct adp5588_kpad_platform_data *pdata = dev->platform_data; 257 const struct adp5588_kpad_platform_data *pdata = dev->platform_data;
250 const struct adp5588_gpio_platform_data *gpio_data = pdata->gpio_data; 258 const struct adp5588_gpio_platform_data *gpio_data = pdata->gpio_data;
251 int error; 259 int error;
@@ -266,12 +274,12 @@ static void __devexit adp5588_gpio_remove(struct device *dev)
266 dev_warn(dev, "gpiochip_remove failed %d\n", error); 274 dev_warn(dev, "gpiochip_remove failed %d\n", error);
267} 275}
268#else 276#else
269static inline int adp5588_gpio_add(struct device *dev) 277static inline int adp5588_gpio_add(struct adp5588_kpad *kpad)
270{ 278{
271 return 0; 279 return 0;
272} 280}
273 281
274static inline void adp5588_gpio_remove(struct device *dev) 282static inline void adp5588_gpio_remove(struct adp5588_kpad *kpad)
275{ 283{
276} 284}
277#endif 285#endif
@@ -581,7 +589,7 @@ static int __devinit adp5588_probe(struct i2c_client *client,
581 if (kpad->gpimapsize) 589 if (kpad->gpimapsize)
582 adp5588_report_switch_state(kpad); 590 adp5588_report_switch_state(kpad);
583 591
584 error = adp5588_gpio_add(&client->dev); 592 error = adp5588_gpio_add(kpad);
585 if (error) 593 if (error)
586 goto err_free_irq; 594 goto err_free_irq;
587 595
@@ -611,7 +619,7 @@ static int __devexit adp5588_remove(struct i2c_client *client)
611 free_irq(client->irq, kpad); 619 free_irq(client->irq, kpad);
612 cancel_delayed_work_sync(&kpad->work); 620 cancel_delayed_work_sync(&kpad->work);
613 input_unregister_device(kpad->input); 621 input_unregister_device(kpad->input);
614 adp5588_gpio_remove(&client->dev); 622 adp5588_gpio_remove(kpad);
615 kfree(kpad); 623 kfree(kpad);
616 624
617 return 0; 625 return 0;