iio: inv_mpu6050: Fix use-after-free in ACPI code
authorCrestez Dan Leonard <leonard.crestez@intel.com>
Fri, 3 Jun 2016 18:30:24 +0000 (21:30 +0300)
committerJonathan Cameron <jic23@kernel.org>
Sat, 11 Jun 2016 16:20:27 +0000 (17:20 +0100)
In some cases this can result in incorrectly returning a negative value
from asus_acpi_get_sensor_info and the AK8963 magnetometer failing to
show up.

Note cpm is an alias for buffer.pointer which isn't apparent in this
patch on it's own.

Cc: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
Signed-off-by: Crestez Dan Leonard <leonard.crestez@intel.com>
Acked-by: Daniel Baluta <daniel.baluta@intel.com>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
drivers/iio/imu/inv_mpu6050/inv_mpu_acpi.c

index f62b8bd9ad7ef0fb440e8d28a55061db4ffb3496..dd6fc6d21f9d0c6057b6b5029800eef2fa82dacb 100644 (file)
@@ -56,6 +56,7 @@ static int asus_acpi_get_sensor_info(struct acpi_device *adev,
        int i;
        acpi_status status;
        union acpi_object *cpm;
+       int ret;
 
        status = acpi_evaluate_object(adev->handle, "CNF0", NULL, &buffer);
        if (ACPI_FAILURE(status))
@@ -82,10 +83,10 @@ static int asus_acpi_get_sensor_info(struct acpi_device *adev,
                        }
                }
        }
-
+       ret = cpm->package.count;
        kfree(buffer.pointer);
 
-       return cpm->package.count;
+       return ret;
 }
 
 static int acpi_i2c_check_resource(struct acpi_resource *ares, void *data)