rfkill: Use mutex_lock() at register and add sanity check
Michael Buesch [Sun, 28 Oct 2007 14:16:50 +0000 (15:16 +0100)]
Replace mutex_lock_interruptible() by mutex_lock() in rfkill_register(),
as interruptible doesn't make sense there.

Add a sanity check for rfkill->type, as that's used for an unchecked dereference
in an array and might cause hard to debug crashes if the driver sets this
to an invalid value.

Signed-off-by: Michael Buesch <mb@bu3sch.de>
Signed-off-by: Ivo van Doorn <IvDoorn@gmail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>

net/rfkill/rfkill.c

index bbfbb9e..47e8cd0 100644 (file)
@@ -276,21 +276,17 @@ static struct class rfkill_class = {
 
 static int rfkill_add_switch(struct rfkill *rfkill)
 {
-       int retval;
-
-       retval = mutex_lock_interruptible(&rfkill_mutex);
-       if (retval)
-               return retval;
+       int error;
 
-       retval = rfkill_toggle_radio(rfkill, rfkill_states[rfkill->type]);
-       if (retval)
-               goto out;
+       mutex_lock(&rfkill_mutex);
 
-       list_add_tail(&rfkill->node, &rfkill_list);
+       error = rfkill_toggle_radio(rfkill, rfkill_states[rfkill->type]);
+       if (!error)
+               list_add_tail(&rfkill->node, &rfkill_list);
 
- out:
        mutex_unlock(&rfkill_mutex);
-       return retval;
+
+       return error;
 }
 
 static void rfkill_remove_switch(struct rfkill *rfkill)
@@ -387,6 +383,8 @@ int rfkill_register(struct rfkill *rfkill)
 
        if (!rfkill->toggle_radio)
                return -EINVAL;
+       if (rfkill->type >= RFKILL_TYPE_MAX)
+               return -EINVAL;
 
        snprintf(dev->bus_id, sizeof(dev->bus_id),
                 "rfkill%ld", (long)atomic_inc_return(&rfkill_no) - 1);