This is a note to let you know that I've just added the patch titled
staging: comedi: check s->async for poll(), read() and write()
to my staging git tree which can be found at
git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging.git
in the staging-next branch.
The patch will show up in the next release of the linux-next tree
(usually sometime within the next 24 hours during the week.)
The patch will also be merged in the next major kernel release
during the merge window.
If you have any questions about this process, please let me know.
>From cc400e185c07c15a42d2635995f422de5b94b696 Mon Sep 17 00:00:00 2001
From: Ian Abbott <[email protected]>
Date: Tue, 5 Feb 2013 12:50:40 +0000
Subject: staging: comedi: check s->async for poll(), read() and write()
Some low-level comedi drivers (incorrectly) point `dev->read_subdev` or
`dev->write_subdev` to a subdevice that does not support asynchronous
commands. Comedi's poll(), read() and write() file operation handlers
assume these subdevices do support asynchronous commands. In
particular, they assume `s->async` is valid (where `s` points to the
read or write subdevice), which it won't be if it has been set
incorrectly. This can lead to a NULL pointer dereference.
Check `s->async` is non-NULL in `comedi_poll()`, `comedi_read()` and
`comedi_write()` to avoid the bug.
Signed-off-by: Ian Abbott <[email protected]>
Cc: stable <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/staging/comedi/comedi_fops.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/staging/comedi/comedi_fops.c
b/drivers/staging/comedi/comedi_fops.c
index bd89e78..b1e8cdb 100644
--- a/drivers/staging/comedi/comedi_fops.c
+++ b/drivers/staging/comedi/comedi_fops.c
@@ -1839,7 +1839,7 @@ static unsigned int comedi_poll(struct file *file,
poll_table *wait)
}
s = comedi_read_subdevice(info);
- if (s) {
+ if (s && s->async) {
poll_wait(file, &s->async->wait_head, wait);
if (!s->busy || !comedi_is_subdevice_running(s) ||
comedi_buf_read_n_available(s->async) > 0)
@@ -1847,7 +1847,7 @@ static unsigned int comedi_poll(struct file *file,
poll_table *wait)
}
s = comedi_write_subdevice(info);
- if (s) {
+ if (s && s->async) {
unsigned int bps = bytes_per_sample(s->async->subdevice);
poll_wait(file, &s->async->wait_head, wait);
@@ -1882,7 +1882,7 @@ static ssize_t comedi_write(struct file *file, const char
__user *buf,
}
s = comedi_write_subdevice(info);
- if (!s)
+ if (!s || !s->async)
return -EIO;
async = s->async;
@@ -1977,7 +1977,7 @@ static ssize_t comedi_read(struct file *file, char __user
*buf, size_t nbytes,
}
s = comedi_read_subdevice(info);
- if (!s)
+ if (!s || !s->async)
return -EIO;
async = s->async;
--
1.8.1.2.434.g9a6c84e.dirty
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
