diff options
author | Ian Abbott <abbotti@mev.co.uk> | 2017-02-17 11:09:08 +0000 |
---|---|---|
committer | Ben Hutchings <ben@decadent.org.uk> | 2017-08-26 02:14:23 +0100 |
commit | e86ba26497605924e2e3d2bd776cb103fbeb1c2f (patch) | |
tree | 2c338bd0883e36a2ad08cd6c941b913dd2d06bde /fs/nfsd/vfs.c | |
parent | a6334ec17dd55334989da52b12bd85ccf22f95d0 (diff) | |
download | linux-stable-e86ba26497605924e2e3d2bd776cb103fbeb1c2f.tar.gz linux-stable-e86ba26497605924e2e3d2bd776cb103fbeb1c2f.tar.bz2 linux-stable-e86ba26497605924e2e3d2bd776cb103fbeb1c2f.zip |
staging: comedi: jr3_pci: fix possible null pointer dereference
commit 45292be0b3db0b7f8286683b376e2d9f949d11f9 upstream.
For some reason, the driver does not consider allocation of the
subdevice private data to be a fatal error when attaching the COMEDI
device. It tests the subdevice private data pointer for validity at
certain points, but omits some crucial tests. In particular,
`jr3_pci_auto_attach()` calls `jr3_pci_alloc_spriv()` to allocate and
initialize the subdevice private data, but the same function
subsequently dereferences the pointer to access the `next_time_min` and
`next_time_max` members without checking it first. The other missing
test is in the timer expiry routine `jr3_pci_poll_dev()`, but it will
crash before it gets that far.
Fix the bug by returning `-ENOMEM` from `jr3_pci_auto_attach()` as soon
as one of the calls to `jr3_pci_alloc_spriv()` returns `NULL`. The
COMEDI core will subsequently call `jr3_pci_detach()` to clean up.
Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Diffstat (limited to 'fs/nfsd/vfs.c')
0 files changed, 0 insertions, 0 deletions