diff options
| author | Ian Abbott <abbotti@mev.co.uk> | 2017-02-17 14:09:08 +0300 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2017-03-06 11:16:58 +0300 |
| commit | 45292be0b3db0b7f8286683b376e2d9f949d11f9 (patch) | |
| tree | 83de5291f0068c1324276a447b4f8f2ac9064905 /scripts/cleanpatch | |
| parent | 15c012d5452809c1ff0ac0007b4dd3addef00b63 (diff) | |
| download | linux-45292be0b3db0b7f8286683b376e2d9f949d11f9.tar.xz | |
staging: comedi: jr3_pci: fix possible null pointer dereference
For some reason, the driver does not consider allocation of the
subdevice private data to be a fatal error when attaching the COMEDI
device. It tests the subdevice private data pointer for validity at
certain points, but omits some crucial tests. In particular,
`jr3_pci_auto_attach()` calls `jr3_pci_alloc_spriv()` to allocate and
initialize the subdevice private data, but the same function
subsequently dereferences the pointer to access the `next_time_min` and
`next_time_max` members without checking it first. The other missing
test is in the timer expiry routine `jr3_pci_poll_dev()`, but it will
crash before it gets that far.
Fix the bug by returning `-ENOMEM` from `jr3_pci_auto_attach()` as soon
as one of the calls to `jr3_pci_alloc_spriv()` returns `NULL`. The
COMEDI core will subsequently call `jr3_pci_detach()` to clean up.
Cc: <stable@vger.kernel.org> # 3.15+
Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'scripts/cleanpatch')
0 files changed, 0 insertions, 0 deletions
