From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Greg Kroah-Hartman , alan@lxorguk.ukuu.org.uk, Ian Abbott Subject: [ 030/101] staging: comedi: ni_labpc: fix possible NULL deref during detach Date: Mon, 29 Oct 2012 14:34:43 -0700 Message-Id: <20121029213243.560072655@linuxfoundation.org> In-Reply-To: <20121029213240.128426598@linuxfoundation.org> References: <20121029213240.128426598@linuxfoundation.org> Sender: linux-kernel-owner@vger.kernel.org List-ID: 3.6-stable review patch. If anyone has any objections, please let me know. ------------------ From: Ian Abbott commit 922b67c1ac53014d80649a961a2fde700cd065d8 upstream. `labpc_common_detach()` is called by the comedi core to clean up if either `labpc_attach()` (including the one in the "ni_labpc_cs" module) or `labpc_attach_pci()` returns an error. It assumes the `thisboard` macro (expanding to `((struct labpc_board_struct *)dev->board_ptr)`) is non-null. This is a valid assumption if `labpc_attach()` fails, but not if `labpc_attach_pci()` fails, leading to a possible NULL pointer dereference. Check `thisboard` at the top of `labpc_common_detach()` and return early if it is `NULL`. This is okay because the only other thing that could have been allocated is `dev->private` and that is freed by the comedi core, not by this function. Signed-off-by: Ian Abbott Signed-off-by: Greg Kroah-Hartman --- drivers/staging/comedi/drivers/ni_labpc.c | 2 ++ 1 file changed, 2 insertions(+) --- a/drivers/staging/comedi/drivers/ni_labpc.c +++ b/drivers/staging/comedi/drivers/ni_labpc.c @@ -809,6 +809,8 @@ static int labpc_find_device(struct come void labpc_common_detach(struct comedi_device *dev) { + if (!thisboard) + return; if (dev->subdevices) subdev_8255_cleanup(dev, dev->subdevices + 2); #ifdef CONFIG_ISA_DMA_API