rfkill: Use mutex_lock() at register and add sanity check
Replace mutex_lock_interruptible() by mutex_lock() in rfkill_register(),
as interruptible doesn't make sense there.
Add a sanity check for rfkill->type, as that's used for an unchecked dereference
in an array and might cause hard to debug crashes if the driver sets this
to an invalid value.
Signed-off-by: Michael Buesch <mb@bu3sch.de>
Signed-off-by: Ivo van Doorn <IvDoorn@gmail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
diff --git a/net/rfkill/rfkill.c b/net/rfkill/rfkill.c
index bbfbb9e..47e8cd0 100644
--- a/net/rfkill/rfkill.c
+++ b/net/rfkill/rfkill.c
@@ -276,21 +276,17 @@
static int rfkill_add_switch(struct rfkill *rfkill)
{
- int retval;
+ int error;
- retval = mutex_lock_interruptible(&rfkill_mutex);
- if (retval)
- return retval;
+ mutex_lock(&rfkill_mutex);
- retval = rfkill_toggle_radio(rfkill, rfkill_states[rfkill->type]);
- if (retval)
- goto out;
+ error = rfkill_toggle_radio(rfkill, rfkill_states[rfkill->type]);
+ if (!error)
+ list_add_tail(&rfkill->node, &rfkill_list);
- list_add_tail(&rfkill->node, &rfkill_list);
-
- out:
mutex_unlock(&rfkill_mutex);
- return retval;
+
+ return error;
}
static void rfkill_remove_switch(struct rfkill *rfkill)
@@ -387,6 +383,8 @@
if (!rfkill->toggle_radio)
return -EINVAL;
+ if (rfkill->type >= RFKILL_TYPE_MAX)
+ return -EINVAL;
snprintf(dev->bus_id, sizeof(dev->bus_id),
"rfkill%ld", (long)atomic_inc_return(&rfkill_no) - 1);