aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMichael Buesch <mb@bu3sch.de>2008-06-12 05:58:56 -0400
committerJohn W. Linville <linville@tuxdriver.com>2008-06-13 16:14:48 -0400
commit028118a5f09a9c807e6b43e2231efdff9f224c74 (patch)
tree10ae9463691e3decc9bd4773682a35418cdf2b10
parent051c256f672efa356a4cda1841132dbc86541090 (diff)
b43: Fix possible NULL pointer dereference in DMA code
This fixes a possible NULL pointer dereference in an error path of the DMA allocation error checking code. This is also necessary for a future DMA API change that is on its way into the mainline kernel that adds an additional dev parameter to dma_mapping_error(). This patch moves the whole struct b43_dmaring struct initialization right before any DMA allocation operation. Reported-by: Miles Lane <miles.lane@gmail.com> Signed-off-by: Michael Buesch <mb@bu3sch.de> Signed-off-by: John W. Linville <linville@tuxdriver.com>
-rw-r--r--drivers/net/wireless/b43/dma.c65
1 files changed, 32 insertions, 33 deletions
diff --git a/drivers/net/wireless/b43/dma.c b/drivers/net/wireless/b43/dma.c
index 6dcbb3c87e72..e23f2f172bd7 100644
--- a/drivers/net/wireless/b43/dma.c
+++ b/drivers/net/wireless/b43/dma.c
@@ -795,24 +795,49 @@ struct b43_dmaring *b43_setup_dmaring(struct b43_wldev *dev,
795{ 795{
796 struct b43_dmaring *ring; 796 struct b43_dmaring *ring;
797 int err; 797 int err;
798 int nr_slots;
799 dma_addr_t dma_test; 798 dma_addr_t dma_test;
800 799
801 ring = kzalloc(sizeof(*ring), GFP_KERNEL); 800 ring = kzalloc(sizeof(*ring), GFP_KERNEL);
802 if (!ring) 801 if (!ring)
803 goto out; 802 goto out;
804 ring->type = type;
805 803
806 nr_slots = B43_RXRING_SLOTS; 804 ring->nr_slots = B43_RXRING_SLOTS;
807 if (for_tx) 805 if (for_tx)
808 nr_slots = B43_TXRING_SLOTS; 806 ring->nr_slots = B43_TXRING_SLOTS;
809 807
810 ring->meta = kcalloc(nr_slots, sizeof(struct b43_dmadesc_meta), 808 ring->meta = kcalloc(ring->nr_slots, sizeof(struct b43_dmadesc_meta),
811 GFP_KERNEL); 809 GFP_KERNEL);
812 if (!ring->meta) 810 if (!ring->meta)
813 goto err_kfree_ring; 811 goto err_kfree_ring;
812
813 ring->type = type;
814 ring->dev = dev;
815 ring->mmio_base = b43_dmacontroller_base(type, controller_index);
816 ring->index = controller_index;
817 if (type == B43_DMA_64BIT)
818 ring->ops = &dma64_ops;
819 else
820 ring->ops = &dma32_ops;
814 if (for_tx) { 821 if (for_tx) {
815 ring->txhdr_cache = kcalloc(nr_slots, 822 ring->tx = 1;
823 ring->current_slot = -1;
824 } else {
825 if (ring->index == 0) {
826 ring->rx_buffersize = B43_DMA0_RX_BUFFERSIZE;
827 ring->frameoffset = B43_DMA0_RX_FRAMEOFFSET;
828 } else if (ring->index == 3) {
829 ring->rx_buffersize = B43_DMA3_RX_BUFFERSIZE;
830 ring->frameoffset = B43_DMA3_RX_FRAMEOFFSET;
831 } else
832 B43_WARN_ON(1);
833 }
834 spin_lock_init(&ring->lock);
835#ifdef CONFIG_B43_DEBUG
836 ring->last_injected_overflow = jiffies;
837#endif
838
839 if (for_tx) {
840 ring->txhdr_cache = kcalloc(ring->nr_slots,
816 b43_txhdr_size(dev), 841 b43_txhdr_size(dev),
817 GFP_KERNEL); 842 GFP_KERNEL);
818 if (!ring->txhdr_cache) 843 if (!ring->txhdr_cache)
@@ -828,7 +853,7 @@ struct b43_dmaring *b43_setup_dmaring(struct b43_wldev *dev,
828 b43_txhdr_size(dev), 1)) { 853 b43_txhdr_size(dev), 1)) {
829 /* ugh realloc */ 854 /* ugh realloc */
830 kfree(ring->txhdr_cache); 855 kfree(ring->txhdr_cache);
831 ring->txhdr_cache = kcalloc(nr_slots, 856 ring->txhdr_cache = kcalloc(ring->nr_slots,
832 b43_txhdr_size(dev), 857 b43_txhdr_size(dev),
833 GFP_KERNEL | GFP_DMA); 858 GFP_KERNEL | GFP_DMA);
834 if (!ring->txhdr_cache) 859 if (!ring->txhdr_cache)
@@ -853,32 +878,6 @@ struct b43_dmaring *b43_setup_dmaring(struct b43_wldev *dev,
853 DMA_TO_DEVICE); 878 DMA_TO_DEVICE);
854 } 879 }
855 880
856 ring->dev = dev;
857 ring->nr_slots = nr_slots;
858 ring->mmio_base = b43_dmacontroller_base(type, controller_index);
859 ring->index = controller_index;
860 if (type == B43_DMA_64BIT)
861 ring->ops = &dma64_ops;
862 else
863 ring->ops = &dma32_ops;
864 if (for_tx) {
865 ring->tx = 1;
866 ring->current_slot = -1;
867 } else {
868 if (ring->index == 0) {
869 ring->rx_buffersize = B43_DMA0_RX_BUFFERSIZE;
870 ring->frameoffset = B43_DMA0_RX_FRAMEOFFSET;
871 } else if (ring->index == 3) {
872 ring->rx_buffersize = B43_DMA3_RX_BUFFERSIZE;
873 ring->frameoffset = B43_DMA3_RX_FRAMEOFFSET;
874 } else
875 B43_WARN_ON(1);
876 }
877 spin_lock_init(&ring->lock);
878#ifdef CONFIG_B43_DEBUG
879 ring->last_injected_overflow = jiffies;
880#endif
881
882 err = alloc_ringmemory(ring); 881 err = alloc_ringmemory(ring);
883 if (err) 882 if (err)
884 goto err_kfree_txhdr_cache; 883 goto err_kfree_txhdr_cache;