aboutsummaryrefslogtreecommitdiffstats
path: root/drivers/input
diff options
context:
space:
mode:
authorDmitry Torokhov <dmitry.torokhov@gmail.com>2010-08-02 18:33:26 -0700
committerDmitry Torokhov <dmitry.torokhov@gmail.com>2010-08-02 18:34:07 -0700
commit0d87c7228a49e8342d60dd552892e470e0b291fa (patch)
tree1282bcec7d8360d9f49b122fd3dca73f2787f47c /drivers/input
parent60347c194acec7ff1b4291ac8e62a5345244c2ee (diff)
downloadkernel_samsung_tuna-0d87c7228a49e8342d60dd552892e470e0b291fa.zip
kernel_samsung_tuna-0d87c7228a49e8342d60dd552892e470e0b291fa.tar.gz
kernel_samsung_tuna-0d87c7228a49e8342d60dd552892e470e0b291fa.tar.bz2
Input: adp5588-keypad - fix NULL dereference in adp5588_gpio_add()
The kpad structure is assigned to i2c client via i2s_set_clientdata() at the end of adp5588_probe(), but in adp5588_gpio_add() we tried to access it (via dev_get_drvdata! which is not nice at all) causing an oops. Let's pass pointer to kpad directly into adp5588_gpio_add() and adp5588_gpio_remove() to avoid accessing driver data before it is set up. Also split out building of gpiomap into a separate function to clear the logic. Reported-by: Michael Hennerich <michael.hennerich@analog.com> Signed-off-by: Dmitry Torokhov <dtor@mail.ru>
Diffstat (limited to 'drivers/input')
-rw-r--r--drivers/input/keyboard/adp5588-keys.c66
1 files changed, 37 insertions, 29 deletions
diff --git a/drivers/input/keyboard/adp5588-keys.c b/drivers/input/keyboard/adp5588-keys.c
index c39ec93..d6918cb 100644
--- a/drivers/input/keyboard/adp5588-keys.c
+++ b/drivers/input/keyboard/adp5588-keys.c
@@ -173,41 +173,49 @@ static int adp5588_gpio_direction_output(struct gpio_chip *chip,
return ret;
}
-static int __devinit adp5588_gpio_add(struct device *dev)
+static int __devinit adp5588_build_gpiomap(struct adp5588_kpad *kpad,
+ const struct adp5588_kpad_platform_data *pdata)
{
- struct adp5588_kpad *kpad = dev_get_drvdata(dev);
- const struct adp5588_kpad_platform_data *pdata = dev->platform_data;
- const struct adp5588_gpio_platform_data *gpio_data = pdata->gpio_data;
- int i, error;
+ bool pin_used[MAXGPIO];
+ int n_unused = 0;
+ int i;
- if (gpio_data) {
- int j = 0;
- bool pin_used[MAXGPIO];
+ memset(pin_used, 0, sizeof(pin_used));
- for (i = 0; i < pdata->rows; i++)
- pin_used[i] = true;
+ for (i = 0; i < pdata->rows; i++)
+ pin_used[i] = true;
- for (i = 0; i < pdata->cols; i++)
- pin_used[i + GPI_PIN_COL_BASE - GPI_PIN_BASE] = true;
+ for (i = 0; i < pdata->cols; i++)
+ pin_used[i + GPI_PIN_COL_BASE - GPI_PIN_BASE] = true;
- for (i = 0; i < kpad->gpimapsize; i++)
- pin_used[kpad->gpimap[i].pin - GPI_PIN_BASE] = true;
+ for (i = 0; i < kpad->gpimapsize; i++)
+ pin_used[kpad->gpimap[i].pin - GPI_PIN_BASE] = true;
- for (i = 0; i < MAXGPIO; i++) {
- if (!pin_used[i])
- kpad->gpiomap[j++] = i;
- }
- kpad->gc.ngpio = j;
+ for (i = 0; i < MAXGPIO; i++)
+ if (!pin_used[i])
+ kpad->gpiomap[n_unused++] = i;
- if (kpad->gc.ngpio)
- kpad->export_gpio = true;
- }
+ return n_unused;
+}
- if (!kpad->export_gpio) {
+static int __devinit adp5588_gpio_add(struct adp5588_kpad *kpad)
+{
+ struct device *dev = &kpad->client->dev;
+ const struct adp5588_kpad_platform_data *pdata = dev->platform_data;
+ const struct adp5588_gpio_platform_data *gpio_data = pdata->gpio_data;
+ int i, error;
+
+ if (!gpio_data)
+ return 0;
+
+ kpad->gc.ngpio = adp5588_build_gpiomap(kpad, pdata);
+ if (kpad->gc.ngpio == 0) {
dev_info(dev, "No unused gpios left to export\n");
return 0;
}
+ kpad->export_gpio = true;
+
kpad->gc.direction_input = adp5588_gpio_direction_input;
kpad->gc.direction_output = adp5588_gpio_direction_output;
kpad->gc.get = adp5588_gpio_get_value;
@@ -243,9 +251,9 @@ static int __devinit adp5588_gpio_add(struct device *dev)
return 0;
}
-static void __devexit adp5588_gpio_remove(struct device *dev)
+static void __devexit adp5588_gpio_remove(struct adp5588_kpad *kpad)
{
- struct adp5588_kpad *kpad = dev_get_drvdata(dev);
+ struct device *dev = &kpad->client->dev;
const struct adp5588_kpad_platform_data *pdata = dev->platform_data;
const struct adp5588_gpio_platform_data *gpio_data = pdata->gpio_data;
int error;
@@ -266,12 +274,12 @@ static void __devexit adp5588_gpio_remove(struct device *dev)
dev_warn(dev, "gpiochip_remove failed %d\n", error);
}
#else
-static inline int adp5588_gpio_add(struct device *dev)
+static inline int adp5588_gpio_add(struct adp5588_kpad *kpad)
{
return 0;
}
-static inline void adp5588_gpio_remove(struct device *dev)
+static inline void adp5588_gpio_remove(struct adp5588_kpad *kpad)
{
}
#endif
@@ -581,7 +589,7 @@ static int __devinit adp5588_probe(struct i2c_client *client,
if (kpad->gpimapsize)
adp5588_report_switch_state(kpad);
- error = adp5588_gpio_add(&client->dev);
+ error = adp5588_gpio_add(kpad);
if (error)
goto err_free_irq;
@@ -611,7 +619,7 @@ static int __devexit adp5588_remove(struct i2c_client *client)
free_irq(client->irq, kpad);
cancel_delayed_work_sync(&kpad->work);
input_unregister_device(kpad->input);
- adp5588_gpio_remove(&client->dev);
+ adp5588_gpio_remove(kpad);
kfree(kpad);
return 0;