[PATCH stable 3.15 to 3.18] staging: comedi: dt282x: fix a null pointer deref on interrupt
commit b8336be66dec06bef518030a0df9847122053ec5 upstream.
The interrupt handler `dt282x_interrupt()` causes a null pointer dereference for those supported boards that have no analog output support. For these boards, `dev->write_subdev` will be `NULL` and therefore the `s_ao` subdevice pointer variable will be `NULL`. In that case, the following call near the end of the interrupt handler results in a null pointer dereference:
cfc_handle_events(dev, s_ao);
[ Upstream equivalent: comedi_handle_events(dev, s_ao); -- IA ]
Fix it by only calling the above function if `s_ao` is valid.
(There are other uses of `s_ao` by the interrupt handler that may or may not be reached depending on values of hardware registers. Trust that they are reliable for now.)
Fixes: f21c74fa4cfe ("staging: comedi: dt282x: use cfc_handle_events()") Signed-off-by: Ian Abbott abbotti@mev.co.uk Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org --- drivers/staging/comedi/drivers/dt282x.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/staging/comedi/drivers/dt282x.c b/drivers/staging/comedi/drivers/dt282x.c index c2a66dcf99fe..6a1222c45d35 100644 --- a/drivers/staging/comedi/drivers/dt282x.c +++ b/drivers/staging/comedi/drivers/dt282x.c @@ -483,7 +483,8 @@ static irqreturn_t dt282x_interrupt(int irq, void *d) } #endif cfc_handle_events(dev, s); - cfc_handle_events(dev, s_ao); + if (s_ao) + cfc_handle_events(dev, s_ao);
return IRQ_RETVAL(handled); }
On Fri, Jul 12, 2019 at 03:02:37PM +0100, Ian Abbott wrote:
commit b8336be66dec06bef518030a0df9847122053ec5 upstream.
The interrupt handler `dt282x_interrupt()` causes a null pointer dereference for those supported boards that have no analog output support. For these boards, `dev->write_subdev` will be `NULL` and therefore the `s_ao` subdevice pointer variable will be `NULL`. In that case, the following call near the end of the interrupt handler results in a null pointer dereference:
cfc_handle_events(dev, s_ao);
[ Upstream equivalent: comedi_handle_events(dev, s_ao); -- IA ]
Fix it by only calling the above function if `s_ao` is valid.
(There are other uses of `s_ao` by the interrupt handler that may or may not be reached depending on values of hardware registers. Trust that they are reliable for now.)
Fixes: f21c74fa4cfe ("staging: comedi: dt282x: use cfc_handle_events()") Signed-off-by: Ian Abbott abbotti@mev.co.uk Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
drivers/staging/comedi/drivers/dt282x.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
Thanks for the patch, I've taken it for my 3.18-android tree.
greg k-h
On Fri, 2019-07-12 at 15:02 +0100, Ian Abbott wrote:
commit b8336be66dec06bef518030a0df9847122053ec5 upstream.
The interrupt handler `dt282x_interrupt()` causes a null pointer dereference for those supported boards that have no analog output support. For these boards, `dev->write_subdev` will be `NULL` and therefore the `s_ao` subdevice pointer variable will be `NULL`. In that case, the following call near the end of the interrupt handler results in a null pointer dereference:
[...]
Thanks; I've queued this up for 3.16. Sorry for the delay.
Ben.
linux-stable-mirror@lists.linaro.org
-
Ben Hutchings -
Greg Kroah-Hartman -
Ian Abbott