diff options
author | Michael Buesch <mb@bu3sch.de> | 2008-06-12 05:58:56 -0400 |
---|---|---|
committer | John W. Linville <linville@tuxdriver.com> | 2008-06-13 16:14:48 -0400 |
commit | 028118a5f09a9c807e6b43e2231efdff9f224c74 (patch) | |
tree | 10ae9463691e3decc9bd4773682a35418cdf2b10 /drivers/net/wireless/b43 | |
parent | 051c256f672efa356a4cda1841132dbc86541090 (diff) |
b43: Fix possible NULL pointer dereference in DMA code
This fixes a possible NULL pointer dereference in an error path of the
DMA allocation error checking code. This is also necessary for a future
DMA API change that is on its way into the mainline kernel that adds
an additional dev parameter to dma_mapping_error().
This patch moves the whole struct b43_dmaring struct initialization
right before any DMA allocation operation.
Reported-by: Miles Lane <miles.lane@gmail.com>
Signed-off-by: Michael Buesch <mb@bu3sch.de>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Diffstat (limited to 'drivers/net/wireless/b43')
-rw-r--r-- | drivers/net/wireless/b43/dma.c | 65 |
1 files changed, 32 insertions, 33 deletions
diff --git a/drivers/net/wireless/b43/dma.c b/drivers/net/wireless/b43/dma.c index 6dcbb3c87e72..e23f2f172bd7 100644 --- a/drivers/net/wireless/b43/dma.c +++ b/drivers/net/wireless/b43/dma.c | |||
@@ -795,24 +795,49 @@ struct b43_dmaring *b43_setup_dmaring(struct b43_wldev *dev, | |||
795 | { | 795 | { |
796 | struct b43_dmaring *ring; | 796 | struct b43_dmaring *ring; |
797 | int err; | 797 | int err; |
798 | int nr_slots; | ||
799 | dma_addr_t dma_test; | 798 | dma_addr_t dma_test; |
800 | 799 | ||
801 | ring = kzalloc(sizeof(*ring), GFP_KERNEL); | 800 | ring = kzalloc(sizeof(*ring), GFP_KERNEL); |
802 | if (!ring) | 801 | if (!ring) |
803 | goto out; | 802 | goto out; |
804 | ring->type = type; | ||
805 | 803 | ||
806 | nr_slots = B43_RXRING_SLOTS; | 804 | ring->nr_slots = B43_RXRING_SLOTS; |
807 | if (for_tx) | 805 | if (for_tx) |
808 | nr_slots = B43_TXRING_SLOTS; | 806 | ring->nr_slots = B43_TXRING_SLOTS; |
809 | 807 | ||
810 | ring->meta = kcalloc(nr_slots, sizeof(struct b43_dmadesc_meta), | 808 | ring->meta = kcalloc(ring->nr_slots, sizeof(struct b43_dmadesc_meta), |
811 | GFP_KERNEL); | 809 | GFP_KERNEL); |
812 | if (!ring->meta) | 810 | if (!ring->meta) |
813 | goto err_kfree_ring; | 811 | goto err_kfree_ring; |
812 | |||
813 | ring->type = type; | ||
814 | ring->dev = dev; | ||
815 | ring->mmio_base = b43_dmacontroller_base(type, controller_index); | ||
816 | ring->index = controller_index; | ||
817 | if (type == B43_DMA_64BIT) | ||
818 | ring->ops = &dma64_ops; | ||
819 | else | ||
820 | ring->ops = &dma32_ops; | ||
814 | if (for_tx) { | 821 | if (for_tx) { |
815 | ring->txhdr_cache = kcalloc(nr_slots, | 822 | ring->tx = 1; |
823 | ring->current_slot = -1; | ||
824 | } else { | ||
825 | if (ring->index == 0) { | ||
826 | ring->rx_buffersize = B43_DMA0_RX_BUFFERSIZE; | ||
827 | ring->frameoffset = B43_DMA0_RX_FRAMEOFFSET; | ||
828 | } else if (ring->index == 3) { | ||
829 | ring->rx_buffersize = B43_DMA3_RX_BUFFERSIZE; | ||
830 | ring->frameoffset = B43_DMA3_RX_FRAMEOFFSET; | ||
831 | } else | ||
832 | B43_WARN_ON(1); | ||
833 | } | ||
834 | spin_lock_init(&ring->lock); | ||
835 | #ifdef CONFIG_B43_DEBUG | ||
836 | ring->last_injected_overflow = jiffies; | ||
837 | #endif | ||
838 | |||
839 | if (for_tx) { | ||
840 | ring->txhdr_cache = kcalloc(ring->nr_slots, | ||
816 | b43_txhdr_size(dev), | 841 | b43_txhdr_size(dev), |
817 | GFP_KERNEL); | 842 | GFP_KERNEL); |
818 | if (!ring->txhdr_cache) | 843 | if (!ring->txhdr_cache) |
@@ -828,7 +853,7 @@ struct b43_dmaring *b43_setup_dmaring(struct b43_wldev *dev, | |||
828 | b43_txhdr_size(dev), 1)) { | 853 | b43_txhdr_size(dev), 1)) { |
829 | /* ugh realloc */ | 854 | /* ugh realloc */ |
830 | kfree(ring->txhdr_cache); | 855 | kfree(ring->txhdr_cache); |
831 | ring->txhdr_cache = kcalloc(nr_slots, | 856 | ring->txhdr_cache = kcalloc(ring->nr_slots, |
832 | b43_txhdr_size(dev), | 857 | b43_txhdr_size(dev), |
833 | GFP_KERNEL | GFP_DMA); | 858 | GFP_KERNEL | GFP_DMA); |
834 | if (!ring->txhdr_cache) | 859 | if (!ring->txhdr_cache) |
@@ -853,32 +878,6 @@ struct b43_dmaring *b43_setup_dmaring(struct b43_wldev *dev, | |||
853 | DMA_TO_DEVICE); | 878 | DMA_TO_DEVICE); |
854 | } | 879 | } |
855 | 880 | ||
856 | ring->dev = dev; | ||
857 | ring->nr_slots = nr_slots; | ||
858 | ring->mmio_base = b43_dmacontroller_base(type, controller_index); | ||
859 | ring->index = controller_index; | ||
860 | if (type == B43_DMA_64BIT) | ||
861 | ring->ops = &dma64_ops; | ||
862 | else | ||
863 | ring->ops = &dma32_ops; | ||
864 | if (for_tx) { | ||
865 | ring->tx = 1; | ||
866 | ring->current_slot = -1; | ||
867 | } else { | ||
868 | if (ring->index == 0) { | ||
869 | ring->rx_buffersize = B43_DMA0_RX_BUFFERSIZE; | ||
870 | ring->frameoffset = B43_DMA0_RX_FRAMEOFFSET; | ||
871 | } else if (ring->index == 3) { | ||
872 | ring->rx_buffersize = B43_DMA3_RX_BUFFERSIZE; | ||
873 | ring->frameoffset = B43_DMA3_RX_FRAMEOFFSET; | ||
874 | } else | ||
875 | B43_WARN_ON(1); | ||
876 | } | ||
877 | spin_lock_init(&ring->lock); | ||
878 | #ifdef CONFIG_B43_DEBUG | ||
879 | ring->last_injected_overflow = jiffies; | ||
880 | #endif | ||
881 | |||
882 | err = alloc_ringmemory(ring); | 881 | err = alloc_ringmemory(ring); |
883 | if (err) | 882 | if (err) |
884 | goto err_kfree_txhdr_cache; | 883 | goto err_kfree_txhdr_cache; |