[PATCH v2] staging: comedi: check s->async for poll(), read() and write()

Ian Abbott abbotti at mev.co.uk
Mon Feb 4 19:57:15 UTC 2013


On 04/02/2013 18:49, Greg Kroah-Hartman wrote:
> On Mon, Feb 04, 2013 at 03:05:28PM +0000, Ian Abbott wrote:
>> Some low-level comedi drivers (incorrectly) point `dev->read_subdev` or
>> `dev->write_subdev` to a subdevice that does not support asynchronous
>> commands.  Comedi's poll(), read() and write() file operation handlers
>> assume these subdevices do support asynchronous commands.  In
>> particular, they assume `s->async` is valid (where `s` points to the
>> read or write subdevice), which it won't be if it has been set
>> incorrectly.  This can lead to a NULL pointer dereference.
>
> Are there any specific drivers that cause this to happen?

comedi_test is one. I have a few others written on a piece of paper 
somewhere. :)

I plan to add some sanitization during postconfig (after the low-level 
driver's attach or auto_attach routine is called) to trim out the bits 
that it doesn't set up properly with a warning.

>> Check `s->async` is non-NULL in `comedi_poll()`, `comedi_read()` and
>> `comedi_write()` to avoid the bug.
>>
>> Signed-off-by: Ian Abbott <abbotti at mev.co.uk>
>> ---
>> v2: Corrected silly mistake.  Deleted a line accidentally leading to
>> compilation failure.
>> Note: this is for Greg's staging-linus or master and stable kernels
>
> Can this wait until 3.9-rc1, and then backport to the 3.8.1 release and
> older stable kernels?

Sure thing.

-- 
-=( Ian Abbott @ MEV Ltd.    E-mail: <abbotti at mev.co.uk>        )=-
-=( Tel: +44 (0)161 477 1898   FAX: +44 (0)161 718 3587         )=-





More information about the devel mailing list