USB: serial: mos7840: fix another NULL-deref at open

[pandora-kernel.git] / drivers / usb / serial / mos7840.c

diff --git a/drivers/usb/serial/mos7840.c b/drivers/usb/serial/mos7840.c
index 5d2501e..c868953 100644 (file)
--- a/drivers/usb/serial/mos7840.c
+++ b/drivers/usb/serial/mos7840.c
@@ -1058,6 +1058,7 @@ static int mos7840_open(struct tty_struct *tty, struct usb_serial_port *port)
         * (can't set it up in mos7840_startup as the structures *
         * were not set up at that time.)                        */
        if (port0->open_ports == 1) {
+               /* FIXME: Buffer never NULL, so URB is not submitted. */
                if (serial->port[0]->interrupt_in_buffer == NULL) {
                        /* set up interrupt urb */
                        usb_fill_int_urb(serial->port[0]->interrupt_in_urb,
@@ -1071,9 +1072,7 @@ static int mos7840_open(struct tty_struct *tty, struct usb_serial_port *port)
                                serial,
                                serial->port[0]->interrupt_in_urb->interval);
 
-                       /* start interrupt read for mos7840               *
-                        * will continue as long as mos7840 is connected  */
-
+                       /* start interrupt read for mos7840 */
                        response =
                            usb_submit_urb(serial->port[0]->interrupt_in_urb,
                                           GFP_KERNEL);
@@ -1524,8 +1523,8 @@ static int mos7840_write(struct tty_struct *tty, struct usb_serial_port *port,
        }
 
        if (urb->transfer_buffer == NULL) {
-               urb->transfer_buffer =
-                   kmalloc(URB_TRANSFER_BUFFER_SIZE, GFP_KERNEL);
+               urb->transfer_buffer = kmalloc(URB_TRANSFER_BUFFER_SIZE,
+                                              GFP_ATOMIC);
 
                if (urb->transfer_buffer == NULL) {
                        dev_err(&port->dev, "%s no more kernel memory...\n",
@@ -1689,7 +1688,11 @@ static int mos7840_tiocmget(struct tty_struct *tty)
                return -ENODEV;
 
        status = mos7840_get_uart_reg(port, MODEM_STATUS_REGISTER, &msr);
+       if (status != 1)
+               return -EIO;
        status = mos7840_get_uart_reg(port, MODEM_CONTROL_REGISTER, &mcr);
+       if (status != 1)
+               return -EIO;
        result = ((mcr & MCR_DTR) ? TIOCM_DTR : 0)
            | ((mcr & MCR_RTS) ? TIOCM_RTS : 0)
            | ((mcr & MCR_LOOPBACK) ? TIOCM_LOOP : 0)
@@ -1983,25 +1986,25 @@ static void mos7840_change_port_settings(struct tty_struct *tty,
        iflag = tty->termios->c_iflag;
 
        /* Change the number of bits */
-       if (cflag & CSIZE) {
-               switch (cflag & CSIZE) {
-               case CS5:
-                       lData = LCR_BITS_5;
-                       break;
+       switch (cflag & CSIZE) {
+       case CS5:
+               lData = LCR_BITS_5;
+               break;
 
-               case CS6:
-                       lData = LCR_BITS_6;
-                       break;
+       case CS6:
+               lData = LCR_BITS_6;
+               break;
 
-               case CS7:
-                       lData = LCR_BITS_7;
-                       break;
-               default:
-               case CS8:
-                       lData = LCR_BITS_8;
-                       break;
-               }
+       case CS7:
+               lData = LCR_BITS_7;
+               break;
+
+       default:
+       case CS8:
+               lData = LCR_BITS_8;
+               break;
        }
+
        /* Change the Parity bit */
        if (cflag & PARENB) {
                if (cflag & PARODD) {
@@ -2382,6 +2385,13 @@ static int mos7840_startup(struct usb_serial *serial)
                return -1;
        }
 
+       if (serial->num_bulk_in < serial->num_ports ||
+                       serial->num_bulk_out < serial->num_ports ||
+                       serial->num_interrupt_in < 1) {
+               dev_err(&serial->interface->dev, "missing endpoints\n");
+               return -ENODEV;
+       }
+
        dev = serial->dev;
 
        dbg("%s", "Entering...");