[PATCH] staging: comedi: drivers: fix kernel oops when channel list has invalid pointer

Bernd Porr <mail@xxxxxxxxxxxxxxx> · Wed, 11 Dec 2013 11:58:25 +0000

Hi all,

I think with this patch everything seems to be running fine now. The 
kernel oops was actually caused by a bug in one of my userspace programs 
(forgot to set the channel list in cmd) but of course that shouldn't 
have been possible. That's now properly dealt with and we get a "bad 
address" back to the userspace program.

Thanks for all your hard work to tidy up the comedi code.

/Bernd
--
www:    http://www.berndporr.me.uk/
        http://www.linux-usb-daq.co.uk/
	http://www.imdb.com/name/nm3293421/
Mobile: +44 (0)7840 340069
Work:   +44 (0)141 330 5237
        University of Glasgow
        School of Engineering
        Rankine Building, Oakfield Avenue,
        Glasgow, G12 8LT
>From d83a3e0cda7559e9b91759ab4ef8a6c3eb19fbc0 Mon Sep 17 00:00:00 2001
From: Bernd Porr <mail@xxxxxxxxxxxxxxx>
Date: Wed, 11 Dec 2013 11:45:09 +0000
Subject: [PATCH 1/1] If the channel list is not set in userspace we get an
 error at PTR_ERR(async->cmd.chanlist). However, do_become_nonbusy(dev, s)
 cleans up this pointer which causes a kernel ooops. Setting the channel list
 in async to NULL and checking this in do_become_nonbusy prevents the oops.

Signed-off-by: Bernd Porr <mail@xxxxxxxxxxxxxxx>
---
 drivers/staging/comedi/comedi_fops.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/drivers/staging/comedi/comedi_fops.c b/drivers/staging/comedi/comedi_fops.c
index f3d59e2..cb546f8 100644
--- a/drivers/staging/comedi/comedi_fops.c
+++ b/drivers/staging/comedi/comedi_fops.c
@@ -560,8 +560,10 @@ static void do_become_nonbusy(struct comedi_device *dev,
 	if (async) {
 		comedi_buf_reset(async);
 		async->inttrig = NULL;
-		kfree(async->cmd.chanlist);
-		async->cmd.chanlist = NULL;
+		if (async->cmd.chanlist) {
+		        kfree(async->cmd.chanlist);
+		        async->cmd.chanlist = NULL;
+		}
 	} else {
 		dev_err(dev->class_dev,
 			"BUG: (?) do_become_nonbusy called with async=NULL\n");
@@ -1425,6 +1427,7 @@ static int do_cmd_ioctl(struct comedi_device *dev,
 					  async->cmd.chanlist_len * sizeof(int));
 	if (IS_ERR(async->cmd.chanlist)) {
 		ret = PTR_ERR(async->cmd.chanlist);
+		async->cmd.chanlist = NULL;
 		DPRINTK("memdup_user failed with code %d\n", ret);
 		goto cleanup;
 	}
-- 
1.8.5.1

_______________________________________________
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxx
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel




