[PATCH stable 3.15 to 3.18] staging: comedi: dt282x: fix a null pointer deref on interrupt

[PATCH stable 3.15 to 3.18] staging: comedi: dt282x: fix a null pointer deref on interrupt

[Ian Abbott]

commit b8336be66dec06bef518030a0df9847122053ec5 upstream.

The interrupt handler `dt282x_interrupt()` causes a null pointer
dereference for those supported boards that have no analog output
support.  For these boards, `dev->write_subdev` will be `NULL` and
therefore the `s_ao` subdevice pointer variable will be `NULL`.  In that
case, the following call near the end of the interrupt handler results
in a null pointer dereference:

	cfc_handle_events(dev, s_ao);

[ Upstream equivalent:
	comedi_handle_events(dev, s_ao);
  -- IA ]

Fix it by only calling the above function if `s_ao` is valid.

(There are other uses of `s_ao` by the interrupt handler that may or may
not be reached depending on values of hardware registers.  Trust that
they are reliable for now.)

Fixes: f21c74fa4cfe ("staging: comedi: dt282x: use cfc_handle_events()")
Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/staging/comedi/drivers/dt282x.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/staging/comedi/drivers/dt282x.c b/drivers/staging/comedi/drivers/dt282x.c
index c2a66dcf99fe..6a1222c45d35 100644
--- a/drivers/staging/comedi/drivers/dt282x.c
+++ b/drivers/staging/comedi/drivers/dt282x.c
@@ -483,7 +483,8 @@ static irqreturn_t dt282x_interrupt(int irq, void *d)
 	}
 #endif
 	cfc_handle_events(dev, s);
-	cfc_handle_events(dev, s_ao);
+	if (s_ao)
+		cfc_handle_events(dev, s_ao);
 
 	return IRQ_RETVAL(handled);
 }
-- 
2.20.1

Re: [PATCH stable 3.15 to 3.18] staging: comedi: dt282x: fix a null pointer deref on interrupt

[Greg Kroah-Hartman]

On Fri, Jul 12, 2019 at 03:02:37PM +0100, Ian Abbott wrote:
> commit b8336be66dec06bef518030a0df9847122053ec5 upstream.
> 
> The interrupt handler `dt282x_interrupt()` causes a null pointer
> dereference for those supported boards that have no analog output
> support.  For these boards, `dev->write_subdev` will be `NULL` and
> therefore the `s_ao` subdevice pointer variable will be `NULL`.  In that
> case, the following call near the end of the interrupt handler results
> in a null pointer dereference:
> 
> 	cfc_handle_events(dev, s_ao);
> 
> [ Upstream equivalent:
> 	comedi_handle_events(dev, s_ao);
>   -- IA ]
> 
> Fix it by only calling the above function if `s_ao` is valid.
> 
> (There are other uses of `s_ao` by the interrupt handler that may or may
> not be reached depending on values of hardware registers.  Trust that
> they are reliable for now.)
> 
> Fixes: f21c74fa4cfe ("staging: comedi: dt282x: use cfc_handle_events()")
> Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> ---
>  drivers/staging/comedi/drivers/dt282x.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)

Thanks for the patch, I've taken it for my 3.18-android tree.

greg k-h

Re: [PATCH stable 3.15 to 3.18] staging: comedi: dt282x: fix a null pointer deref on interrupt

[Ben Hutchings]

[-- Attachment #1: Type: text/plain, Size: 687 bytes --]

On Fri, 2019-07-12 at 15:02 +0100, Ian Abbott wrote:
> commit b8336be66dec06bef518030a0df9847122053ec5 upstream.
> 
> The interrupt handler `dt282x_interrupt()` causes a null pointer
> dereference for those supported boards that have no analog output
> support.  For these boards, `dev->write_subdev` will be `NULL` and
> therefore the `s_ao` subdevice pointer variable will be `NULL`.  In that
> case, the following call near the end of the interrupt handler results
> in a null pointer dereference:
[...]

Thanks; I've queued this up for 3.16.  Sorry for the delay.

Ben.

-- 
Ben Hutchings
Quantity is no substitute for quality, but it's the only one we've got.



[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]