| From e952c676fd112fb09d38ef23bfff260bd9a8ad05 Mon Sep 17 00:00:00 2001 |
| From: Ian Abbott <abbotti@mev.co.uk> |
| Date: Tue, 14 Jan 2020 18:25:31 +0000 |
| Subject: [PATCH] staging: comedi: ni_routes: fix null dereference in |
| ni_find_route_source() |
| |
| commit 01e20b664f808a4f3048ca3f930911fd257209bd upstream. |
| |
| In `ni_find_route_source()`, `tables->route_values` gets dereferenced. |
| However it is possible that `tables->route_values` is `NULL`, leading to |
| a null pointer dereference. `tables->route_values` will be `NULL` if |
| the call to `ni_assign_device_routes()` during board initialization |
| returned an error due to missing device family routing information or |
| missing board-specific routing information. For example, there is |
| currently no board-specific routing information provided for the |
| PCIe-6251 board and several other boards, so those are affected by this |
| bug. |
| |
| The bug is triggered when `ni_find_route_source()` is called via |
| `ni_check_trigger_arg()` or `ni_check_trigger_arg_roffs()` when checking |
| the arguments for setting up asynchronous commands. Fix it by returning |
| `-EINVAL` if `tables->route_values` is `NULL`. |
| |
| Even with this fix, setting up asynchronous commands to use external |
| trigger sources for boards with missing routing information will still |
| fail gracefully. Since `ni_find_route_source()` only depends on the |
| device family routing information, it would be better if that was made |
| available even if the board-specific routing information is missing. |
| That will be addressed by another patch. |
| |
| Fixes: 4bb90c87abbe ("staging: comedi: add interface to ni routing table information") |
| Cc: <stable@vger.kernel.org> # 4.20+ |
| Cc: Spencer E. Olson <olsonse@umich.edu> |
| Signed-off-by: Ian Abbott <abbotti@mev.co.uk> |
| Link: https://lore.kernel.org/r/20200114182532.132058-2-abbotti@mev.co.uk |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> |
| |
| diff --git a/drivers/staging/comedi/drivers/ni_routes.c b/drivers/staging/comedi/drivers/ni_routes.c |
| index eb61494dc2bd..fe96c4ee90b3 100644 |
| --- a/drivers/staging/comedi/drivers/ni_routes.c |
| +++ b/drivers/staging/comedi/drivers/ni_routes.c |
| @@ -489,6 +489,9 @@ int ni_find_route_source(const u8 src_sel_reg_value, int dest, |
| { |
| int src; |
| |
| + if (!tables->route_values) |
| + return -EINVAL; |
| + |
| dest = B(dest); /* subtract NI names offset */ |
| /* ensure we are not going to under/over run the route value table */ |
| if (dest < 0 || dest >= NI_NUM_NAMES) |
| -- |
| 2.7.4 |
| |