[IRDA]: Fix rfcomm use-after-free

[pandora-kernel.git] / drivers / mtd / mtdchar.c

diff --git a/drivers/mtd/mtdchar.c b/drivers/mtd/mtdchar.c
index 866c8e0..8c86b80 100644 (file)
--- a/drivers/mtd/mtdchar.c
+++ b/drivers/mtd/mtdchar.c
@@ -7,6 +7,7 @@
 
 #include <linux/device.h>
 #include <linux/fs.h>
+#include <linux/err.h>
 #include <linux/init.h>
 #include <linux/kernel.h>
 #include <linux/module.h>
@@ -100,8 +101,8 @@ static int mtd_open(struct inode *inode, struct file *file)
 
        mtd = get_mtd_device(NULL, devnum);
 
-       if (!mtd)
-               return -ENODEV;
+       if (IS_ERR(mtd))
+               return PTR_ERR(mtd);
 
        if (MTD_ABSENT == mtd->type) {
                put_mtd_device(mtd);
@@ -418,8 +419,9 @@ static int mtd_ioctl(struct inode *inode, struct file *file,
                info.erasesize  = mtd->erasesize;
                info.writesize  = mtd->writesize;
                info.oobsize    = mtd->oobsize;
-               info.ecctype    = mtd->ecctype;
-               info.eccsize    = mtd->eccsize;
+               /* The below fields are obsolete */
+               info.ecctype    = -1;
+               info.eccsize    = 0;
                if (copy_to_user(argp, &info, sizeof(struct mtd_info_user)))
                        return -EFAULT;
                break;
@@ -431,7 +433,7 @@ static int mtd_ioctl(struct inode *inode, struct file *file,
                if(!(file->f_mode & 2))
                        return -EPERM;
 
-               erase=kmalloc(sizeof(struct erase_info),GFP_KERNEL);
+               erase=kzalloc(sizeof(struct erase_info),GFP_KERNEL);
                if (!erase)
                        ret = -ENOMEM;
                else {
@@ -440,7 +442,6 @@ static int mtd_ioctl(struct inode *inode, struct file *file,
 
                        init_waitqueue_head(&waitq);
 
-                       memset (erase,0,sizeof(struct erase_info));
                        if (copy_from_user(&erase->addr, argp,
                                    sizeof(struct erase_info_user))) {
                                kfree(erase);
@@ -499,13 +500,12 @@ static int mtd_ioctl(struct inode *inode, struct file *file,
                if (ret)
                        return ret;
 
-               ops.len = buf.length;
                ops.ooblen = buf.length;
                ops.ooboffs = buf.start & (mtd->oobsize - 1);
                ops.datbuf = NULL;
                ops.mode = MTD_OOB_PLACE;
 
-               if (ops.ooboffs && ops.len > (mtd->oobsize - ops.ooboffs))
+               if (ops.ooboffs && ops.ooblen > (mtd->oobsize - ops.ooboffs))
                        return -EINVAL;
 
                ops.oobbuf = kmalloc(buf.length, GFP_KERNEL);
@@ -520,7 +520,7 @@ static int mtd_ioctl(struct inode *inode, struct file *file,
                buf.start &= ~(mtd->oobsize - 1);
                ret = mtd->write_oob(mtd, buf.start, &ops);
 
-               if (copy_to_user(argp + sizeof(uint32_t), &ops.retlen,
+               if (copy_to_user(argp + sizeof(uint32_t), &ops.oobretlen,
                                 sizeof(uint32_t)))
                        ret = -EFAULT;
 
@@ -548,13 +548,12 @@ static int mtd_ioctl(struct inode *inode, struct file *file,
                if (ret)
                        return ret;
 
-               ops.len = buf.length;
                ops.ooblen = buf.length;
                ops.ooboffs = buf.start & (mtd->oobsize - 1);
                ops.datbuf = NULL;
                ops.mode = MTD_OOB_PLACE;
 
-               if (ops.ooboffs && ops.len > (mtd->oobsize - ops.ooboffs))
+               if (ops.ooboffs && ops.ooblen > (mtd->oobsize - ops.ooboffs))
                        return -EINVAL;
 
                ops.oobbuf = kmalloc(buf.length, GFP_KERNEL);
@@ -564,10 +563,10 @@ static int mtd_ioctl(struct inode *inode, struct file *file,
                buf.start &= ~(mtd->oobsize - 1);
                ret = mtd->read_oob(mtd, buf.start, &ops);
 
-               if (put_user(ops.retlen, (uint32_t __user *)argp))
+               if (put_user(ops.oobretlen, (uint32_t __user *)argp))
                        ret = -EFAULT;
-               else if (ops.retlen && copy_to_user(buf.ptr, ops.oobbuf,
-                                                   ops.retlen))
+               else if (ops.oobretlen && copy_to_user(buf.ptr, ops.oobbuf,
+                                                   ops.oobretlen))
                        ret = -EFAULT;
 
                kfree(ops.oobbuf);
@@ -761,7 +760,7 @@ static int mtd_ioctl(struct inode *inode, struct file *file,
        return ret;
 } /* memory_ioctl */
 
-static struct file_operations mtd_fops = {
+static const struct file_operations mtd_fops = {
        .owner          = THIS_MODULE,
        .llseek         = mtd_lseek,
        .read           = mtd_read,