On Sunday 28 October 2007, Michael Buesch wrote:
> Replace mutex_lock_interruptible() by mutex_lock() in rfkill_register(),
> as interruptible doesn't make sense there.
>
> Add a sanity check for rfkill->type, as that's used for an unchecked dereference
> in an array and might cause hard to debug crashes if the driver sets this
> to an invalid value.
>
> Signed-off-by: Michael Buesch <mb@xxxxxxxxx>
Signed-off-by: Ivo van Doorn <IvDoorn@xxxxxxxxx>
> Index: wireless-2.6/net/rfkill/rfkill.c
> ===================================================================
> --- wireless-2.6.orig/net/rfkill/rfkill.c 2007-10-28 14:27:30.000000000 +0100
> +++ wireless-2.6/net/rfkill/rfkill.c 2007-10-28 15:07:11.000000000 +0100
> @@ -276,21 +276,17 @@ static struct class rfkill_class = {
>
> static int rfkill_add_switch(struct rfkill *rfkill)
> {
> - int retval;
> -
> - retval = mutex_lock_interruptible(&rfkill_mutex);
> - if (retval)
> - return retval;
> + int error;
>
> - retval = rfkill_toggle_radio(rfkill, rfkill_states[rfkill->type]);
> - if (retval)
> - goto out;
> + mutex_lock(&rfkill_mutex);
>
> - list_add_tail(&rfkill->node, &rfkill_list);
> + error = rfkill_toggle_radio(rfkill, rfkill_states[rfkill->type]);
> + if (!error)
> + list_add_tail(&rfkill->node, &rfkill_list);
>
> - out:
> mutex_unlock(&rfkill_mutex);
> - return retval;
> +
> + return error;
> }
>
> static void rfkill_remove_switch(struct rfkill *rfkill)
> @@ -387,6 +383,8 @@ int rfkill_register(struct rfkill *rfkil
>
> if (!rfkill->toggle_radio)
> return -EINVAL;
> + if (rfkill->type >= RFKILL_TYPE_MAX)
> + return -EINVAL;
>
> snprintf(dev->bus_id, sizeof(dev->bus_id),
> "rfkill%ld", (long)atomic_inc_return(&rfkill_no) - 1);
>
-
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
