On 04/02/2013 18:49, Greg Kroah-Hartman wrote:
On Mon, Feb 04, 2013 at 03:05:28PM +0000, Ian Abbott wrote:
Some low-level comedi drivers (incorrectly) point `dev->read_subdev` or
`dev->write_subdev` to a subdevice that does not support asynchronous
commands. Comedi's poll(), read() and write() file operation handlers
assume these subdevices do support asynchronous commands. In
particular, they assume `s->async` is valid (where `s` points to the
read or write subdevice), which it won't be if it has been set
incorrectly. This can lead to a NULL pointer dereference.
Are there any specific drivers that cause this to happen?
comedi_test is one. I have a few others written on a piece of paper
somewhere. :)
I plan to add some sanitization during postconfig (after the low-level
driver's attach or auto_attach routine is called) to trim out the bits
that it doesn't set up properly with a warning.
Check `s->async` is non-NULL in `comedi_poll()`, `comedi_read()` and
`comedi_write()` to avoid the bug.
Signed-off-by: Ian Abbott <abbotti@xxxxxxxxx>
---
v2: Corrected silly mistake. Deleted a line accidentally leading to
compilation failure.
Note: this is for Greg's staging-linus or master and stable kernels
Can this wait until 3.9-rc1, and then backport to the 3.8.1 release and
older stable kernels?
Sure thing.
--
-=( Ian Abbott @ MEV Ltd. E-mail: <abbotti@xxxxxxxxx> )=-
-=( Tel: +44 (0)161 477 1898 FAX: +44 (0)161 718 3587 )=-
_______________________________________________
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxx
http://driverdev.linuxdriverproject.org/mailman/listinfo/devel
