greybus: raw: Don't use (possibly) uninitialized raw->device in gb_raw_receive()

If an incoming request comes on the connection, before the driver has allocated its raw->device in gb_raw_connection_init(), then it might result in a crash while printing error messages. Fix that by using bundle->dev for printing error messages. Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org> Reviewed-by: Johan Hovold <johan@hovoldconsulting.com> Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>

greybus: raw: Don't use (possibly) uninitialized raw->device in gb_raw_receive()
If an incoming request comes on the connection, before the driver has allocated its raw->device in gb_raw_connection_init(), then it might result in a crash while printing error messages. Fix that by using bundle->dev for printing error messages. Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org> Reviewed-by: Johan Hovold <johan@hovoldconsulting.com> Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
2554eda5 · Viresh Kumar · Greg Kroah-Hartman · c463593c · 2554eda5
Commit 2554eda5 authored Feb 12, 2016 by Viresh Kumar Committed by Greg Kroah-Hartman Feb 15, 2016
Hide whitespace changes
Inline Side-by-side

Showing with 8 additions and 9 deletions

drivers/staging/greybus/raw.c drivers/staging/greybus/raw.c +8 -9

No files found.
--- a/drivers/staging/greybus/raw.c
+++ b/drivers/staging/greybus/raw.c
@@ -57,17 +57,17 @@ static DEFINE_IDA(minors);
 static int receive_data(struct gb_raw *raw, u32 len, u8 *data)
 {
 	struct raw_data *raw_data;
+	struct device *dev = &raw->connection->bundle->dev;
 	int retval = 0;

 	if (len > MAX_PACKET_SIZE) {
-		dev_err(raw->device, "Too big of a data packet, rejected\n");
+		dev_err(dev, "Too big of a data packet, rejected\n");
 		return -EINVAL;
 	}

 	mutex_lock(&raw->list_lock);
 	if ((raw->list_data + len) > MAX_DATA_SIZE) {
-		dev_err(raw->device,
-			"Too much data in receive buffer, now dropping packets\n");
+		dev_err(dev, "Too much data in receive buffer, now dropping packets\n");
 		retval = -EINVAL;
 		goto exit;
 	}
@@ -91,32 +91,31 @@ static int receive_data(struct gb_raw *raw, u32 len, u8 *data)
 static int gb_raw_receive(u8 type, struct gb_operation *op)
 {
 	struct gb_connection *connection = op->connection;
+	struct device *dev = &connection->bundle->dev;
 	struct gb_raw *raw = connection->private;
 	struct gb_raw_send_request *receive;
 	u32 len;

 	if (type != GB_RAW_TYPE_SEND) {
-		dev_err(raw->device, "unknown request type %d\n", type);
+		dev_err(dev, "unknown request type %d\n", type);
 		return -EINVAL;
 	}

 	/* Verify size of payload */
 	if (op->request->payload_size < sizeof(*receive)) {
-		dev_err(raw->device, "raw receive request too small (%zu < %zu)\n",
+		dev_err(dev, "raw receive request too small (%zu < %zu)\n",
 			op->request->payload_size, sizeof(*receive));
 		return -EINVAL;
 	}
 	receive = op->request->payload;
 	len = le32_to_cpu(receive->len);
 	if (len != (int)(op->request->payload_size - sizeof(__le32))) {
-		dev_err(raw->device,
-			"raw receive request wrong size %d vs %d\n",
-			len,
+		dev_err(dev, "raw receive request wrong size %d vs %d\n", len,
 			(int)(op->request->payload_size - sizeof(__le32)));
 		return -EINVAL;
 	}
 	if (len == 0) {
-		dev_err(raw->device, "raw receive request of 0 bytes?\n");
+		dev_err(dev, "raw receive request of 0 bytes?\n");
 		return -EINVAL;
 	}