summaryrefslogtreecommitdiffstats
path: root/drivers
diff options
context:
space:
mode:
authorCrestez Dan Leonard <leonard.crestez@intel.com>2016-06-03 20:30:24 +0200
committerJonathan Cameron <jic23@kernel.org>2016-06-11 18:20:27 +0200
commit6e85dbe4b461e59fa3cad6f6235cb47fa4c6a629 (patch)
treedc8e9b4c1756106839dc3640112f67c4e0750996 /drivers
parentstaging: lustre: lnet: Don't access NULL NI on failure path (diff)
downloadlinux-6e85dbe4b461e59fa3cad6f6235cb47fa4c6a629.tar.xz
linux-6e85dbe4b461e59fa3cad6f6235cb47fa4c6a629.zip
iio: inv_mpu6050: Fix use-after-free in ACPI code
In some cases this can result in incorrectly returning a negative value from asus_acpi_get_sensor_info and the AK8963 magnetometer failing to show up. Note cpm is an alias for buffer.pointer which isn't apparent in this patch on it's own. Cc: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com> Signed-off-by: Crestez Dan Leonard <leonard.crestez@intel.com> Acked-by: Daniel Baluta <daniel.baluta@intel.com> Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Diffstat (limited to 'drivers')
-rw-r--r--drivers/iio/imu/inv_mpu6050/inv_mpu_acpi.c5
1 files changed, 3 insertions, 2 deletions
diff --git a/drivers/iio/imu/inv_mpu6050/inv_mpu_acpi.c b/drivers/iio/imu/inv_mpu6050/inv_mpu_acpi.c
index f62b8bd9ad7e..dd6fc6d21f9d 100644
--- a/drivers/iio/imu/inv_mpu6050/inv_mpu_acpi.c
+++ b/drivers/iio/imu/inv_mpu6050/inv_mpu_acpi.c
@@ -56,6 +56,7 @@ static int asus_acpi_get_sensor_info(struct acpi_device *adev,
int i;
acpi_status status;
union acpi_object *cpm;
+ int ret;
status = acpi_evaluate_object(adev->handle, "CNF0", NULL, &buffer);
if (ACPI_FAILURE(status))
@@ -82,10 +83,10 @@ static int asus_acpi_get_sensor_info(struct acpi_device *adev,
}
}
}
-
+ ret = cpm->package.count;
kfree(buffer.pointer);
- return cpm->package.count;
+ return ret;
}
static int acpi_i2c_check_resource(struct acpi_resource *ares, void *data)