From 1842dd8b7bc7d713d3c252a501411b5009b3987d Mon Sep 17 00:00:00 2001
From: Johan Hovold <johan@hovoldconsulting.com>
Date: Fri, 27 Mar 2015 12:45:41 +0100
Subject: [PATCH] greybus: gpio: fix null-deref on short irq requests

Make sure to verify the length of incoming requests before trying to
parse the request buffer, which can even be NULL on empty requests.

Signed-off-by: Johan Hovold <johan@hovoldconsulting.com>
Signed-off-by: Greg Kroah-Hartman <greg@kroah.com>
---
 drivers/staging/greybus/gpio.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/drivers/staging/greybus/gpio.c b/drivers/staging/greybus/gpio.c
index 2bac28ec7f85..7dc675d7bd5b 100644
--- a/drivers/staging/greybus/gpio.c
+++ b/drivers/staging/greybus/gpio.c
@@ -413,6 +413,12 @@ static void gb_gpio_request_recv(u8 type, struct gb_operation *op)
 	ggc = connection->private;
 
 	request = op->request;
+
+	if (request->payload_size < sizeof(*event)) {
+		dev_err(ggc->chip.dev, "short event received\n");
+		return;
+	}
+
 	event = request->payload;
 	if (event->which > ggc->line_max) {
 		dev_err(ggc->chip.dev, "invalid hw irq: %d\n", event->which);
-- 
2.39.5