linux-stable.git/drivers/staging/comedi, branch v3.6.7 Linux kernel stable tree staging: comedi: amplc_pc236: fix possible NULL deref during detach 2012-10-31T17:10:00+00:00 Ian Abbott abbotti@mev.co.uk 2012-10-03T15:25:18+00:00 6c04efd97dd25596a1bf80cc1c518fe7e451cc1e commit 2db012bd40b889d8e5483d3daa07af04c4c109d8 upstream. `pc236_detach()` is called by the comedi core to clean up if either `pc236_attach()` or `pc236_attach_pci()` returns an error. It sets `thisboard` to the return value of `comedi_board(dev)` and assumes it is non-null. This is a valid assumption if `pc236_attach()` fails, but not if `pc236_attach_pci()` fails, leading to a possible NULL pointer dereference. Check `thisboard` at the top of `pc236_detach()` and return early if it is `NULL`. This is okay because the only other thing that could have been allocated is `dev->private` and that is freed by the comedi core, not by this function. Signed-off-by: Ian Abbott <abbotti@mev.co.uk> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
commit 2db012bd40b889d8e5483d3daa07af04c4c109d8 upstream.

`pc236_detach()` is called by the comedi core to clean up if either
`pc236_attach()` or `pc236_attach_pci()` returns an error.  It sets
`thisboard` to the return value of `comedi_board(dev)` and assumes it is
non-null.  This is a valid assumption if `pc236_attach()` fails, but not
if `pc236_attach_pci()` fails, leading to a possible NULL pointer
dereference.

Check `thisboard` at the top of `pc236_detach()` and return early if it
is `NULL`.  This is okay because the only other thing that could have
been allocated is `dev->private` and that is freed by the comedi core,
not by this function.

Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
staging: comedi: amplc_pc236: fix invalid register access during detach 2012-10-31T17:10:00+00:00 Ian Abbott abbotti@mev.co.uk 2012-10-03T15:25:17+00:00 ec7fe3d6e91ff29ee3000e35f13f5eb3df2eca30 commit aaeb61a97b7159ebe30b18a422d04eeabfa8790b upstream. `pc236_detach()` is called by the comedi core if it attempted to attach a device and failed. `pc236_detach()` calls `pc236_intr_disable()` if the comedi device private data pointer (`devpriv`) is non-null. This test is insufficient as `pc236_intr_disable()` accesses hardware registers and the attach routine may have failed before it has saved their I/O base addresses. Fix it by checking `dev->iobase` is non-zero before calling `pc236_intr_disable()` as that means the I/O base addresses have been saved and the hardware registers can be accessed. It also implies the comedi device private data pointer is valid, so there is no need to check it. Signed-off-by: Ian Abbott <abbotti@mev.co.uk> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
commit aaeb61a97b7159ebe30b18a422d04eeabfa8790b upstream.

`pc236_detach()` is called by the comedi core if it attempted to attach
a device and failed.  `pc236_detach()` calls `pc236_intr_disable()` if
the comedi device private data pointer (`devpriv`) is non-null.  This
test is insufficient as `pc236_intr_disable()` accesses hardware
registers and the attach routine may have failed before it has saved
their I/O base addresses.

Fix it by checking `dev->iobase` is non-zero before calling
`pc236_intr_disable()` as that means the I/O base addresses have been
saved and the hardware registers can be accessed.  It also implies the
comedi device private data pointer is valid, so there is no need to
check it.

Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
staging: comedi: amplc_pc263: fix possible NULL deref during detach 2012-10-31T17:10:00+00:00 Ian Abbott abbotti@mev.co.uk 2012-10-03T15:25:19+00:00 3792dd12ee4419bc276cd321c8f74506a37aa93d commit 1d1171ffda585c1cab7bd7cf4bd8f8fd5923fb4a upstream. `pc263_detach()` is called by the comedi core to clean up if either `pc263_attach()` or `pc263_attach_pci()` returns an error. It sets `thisboard` to the return value of `comedi_board(dev)` and assumes it is non-null. This is a valid assumption if `pc263_attach()` fails, but not if `pc263_attach_pci()` fails, leading to a possible NULL pointer dereference. Check `thisboard` at the top of `pc263_detach()` and return early if it is `NULL`. This is okay because no other resources need cleaning up in this case. Signed-off-by: Ian Abbott <abbotti@mev.co.uk> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
commit 1d1171ffda585c1cab7bd7cf4bd8f8fd5923fb4a upstream.

`pc263_detach()` is called by the comedi core to clean up if either
`pc263_attach()` or `pc263_attach_pci()` returns an error.  It sets
`thisboard` to the return value of `comedi_board(dev)` and assumes it is
non-null.  This is a valid assumption if `pc263_attach()` fails, but not
if `pc263_attach_pci()` fails, leading to a possible NULL pointer
dereference.

Check `thisboard` at the top of `pc263_detach()` and return early if it
is `NULL`.  This is okay because no other resources need cleaning up in
this case.

Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
staging: comedi: amplc_dio200: fix possible NULL deref during detach 2012-10-31T17:10:00+00:00 Ian Abbott abbotti@mev.co.uk 2012-10-03T15:25:16+00:00 6f9445326d4a262a863cc634fd377c5ca562e17d commit dfb2540e91e1f63765bc3ff497ad0b714d774261 upstream. `dio200_detach()` is called by the comedi core to clean up if either `dio200_attach()` or `dio200_attach_pci()` return an error. It assigns `thisboard` to the return value of `comedi_board(dev)` and assumes it is non-null. In the case of a previous call to `dio200_attach()` it won't be `NULL` because the comedi core will have pointed it to one of the elements of `dio200_boards[]`, but in the case of a previous call to `dio200_attach_pci()` it could be `NULL`, leading to a null pointer dereference. Check that `thisboard` is valid at the top of `dio200_detach()` and return early if it is `NULL`. This is okay because the only other thing that could have been allocated is `dev->private` and that is freed by the comedi core, not by this function. Signed-off-by: Ian Abbott <abbotti@mev.co.uk> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
commit dfb2540e91e1f63765bc3ff497ad0b714d774261 upstream.

`dio200_detach()` is called by the comedi core to clean up if either
`dio200_attach()` or `dio200_attach_pci()` return an error.  It assigns
`thisboard` to the return value of `comedi_board(dev)` and assumes it is
non-null.  In the case of a previous call to `dio200_attach()` it won't
be `NULL` because the comedi core will have pointed it to one of the
elements of `dio200_boards[]`, but in the case of a previous call to
`dio200_attach_pci()` it could be `NULL`, leading to a null pointer
dereference.

Check that `thisboard` is valid at the top of `dio200_detach()` and
return early if it is `NULL`.  This is okay because the only other thing
that could have been allocated is `dev->private` and that is freed by
the comedi core, not by this function.

Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
staging: comedi: ni_labpc: fix possible NULL deref during detach 2012-10-31T17:09:59+00:00 Ian Abbott abbotti@mev.co.uk 2012-10-03T15:25:21+00:00 9f275003e609824e738b22caef0020d5c4a4def5 commit 922b67c1ac53014d80649a961a2fde700cd065d8 upstream. `labpc_common_detach()` is called by the comedi core to clean up if either `labpc_attach()` (including the one in the "ni_labpc_cs" module) or `labpc_attach_pci()` returns an error. It assumes the `thisboard` macro (expanding to `((struct labpc_board_struct *)dev->board_ptr)`) is non-null. This is a valid assumption if `labpc_attach()` fails, but not if `labpc_attach_pci()` fails, leading to a possible NULL pointer dereference. Check `thisboard` at the top of `labpc_common_detach()` and return early if it is `NULL`. This is okay because the only other thing that could have been allocated is `dev->private` and that is freed by the comedi core, not by this function. Signed-off-by: Ian Abbott <abbotti@mev.co.uk> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
commit 922b67c1ac53014d80649a961a2fde700cd065d8 upstream.

`labpc_common_detach()` is called by the comedi core to clean up if
either `labpc_attach()` (including the one in the "ni_labpc_cs" module)
or `labpc_attach_pci()` returns an error.  It assumes the `thisboard`
macro (expanding to `((struct labpc_board_struct *)dev->board_ptr)`) is
non-null.  This is a valid assumption if `labpc_attach()` fails, but not
if `labpc_attach_pci()` fails, leading to a possible NULL pointer
dereference.

Check `thisboard` at the top of `labpc_common_detach()` and return early
if it is `NULL`.  This is okay because the only other thing that could
have been allocated is `dev->private` and that is freed by the comedi
core, not by this function.

Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
staging: comedi: ni_daq_700: fix dio subdevice regression 2012-10-31T17:09:59+00:00 Fred Brooks nsaspook@nsaspook.com 2012-10-02T10:10:26+00:00 8098a2e23e88e979566c78e68aec11fa21808df0 commit 6681e63399926651cc29bcb9d92229b6f1cf1daa upstream. Here is a small patch to fix a problem caused by a previous patch that removed the callback function. The callback remove patch: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=1de02225358988e8fd48d1dc3fd12336bbae258a I finally booted my dev machine on the latest kernel (running Debian here so it's still on 3.2 normally) to test the ni_daq_700 driver with my test program and noticed this bug. Shift the DIO_R read result to bits 8..15 Digital direction configuration: channels 0-7 output, 8-15 input (8225 device emu as port A output, port B input, port C N/A). Signed-off-by: Fred Brooks <nsaspook@nsaspook.com> Signed-off-by: Ian Abbott <abbotti@mev.co.uk> Reviewed-by: H Hartley Sweeten <hsweeten@visionengravers.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
commit 6681e63399926651cc29bcb9d92229b6f1cf1daa upstream.

Here is a small patch to fix a problem caused by a previous patch that
removed the  callback function.  The callback remove patch:
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=1de02225358988e8fd48d1dc3fd12336bbae258a

I finally booted my dev machine on the latest kernel (running Debian
here so it's still on 3.2 normally) to test the ni_daq_700 driver with
my test program and noticed this bug.

Shift the DIO_R read result to bits 8..15 Digital direction
configuration: channels 0-7 output, 8-15 input (8225 device emu as port
A output, port B input, port C N/A).

Signed-off-by: Fred Brooks <nsaspook@nsaspook.com>
Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Reviewed-by: H Hartley Sweeten <hsweeten@visionengravers.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
staging: comedi: das08: fix possible NULL deref during detach 2012-10-31T17:09:59+00:00 Ian Abbott abbotti@mev.co.uk 2012-10-03T15:25:20+00:00 d136f0fd47d9953139381c8af74976de86eeb224 commit ee280d134f2e05e0172369a53fbe202dbfc527fa upstream. `das08_detach()` is called by the comedi core to clean up if either `das08_attach()` or `das08_attach_pci()` returns an error. It sets `thisboard` to the return value of `comedi_board(dev)` and assumes it is non-null. This is a valid assumption if `das08_attach()` fails, but not if `das08_attach_pci()` fails, leading to a possible NULL pointer dereference. Check `thisboard` at the top of `das08_detach()` and return early if it is `NULL`. This is okay because the only other thing that could have been allocated is `dev->private` and that is freed by the comedi core, not by this function. Signed-off-by: Ian Abbott <abbotti@mev.co.uk> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
commit ee280d134f2e05e0172369a53fbe202dbfc527fa upstream.

`das08_detach()` is called by the comedi core to clean up if either
`das08_attach()` or `das08_attach_pci()` returns an error.  It sets
`thisboard` to the return value of `comedi_board(dev)` and assumes it is
non-null.  This is a valid assumption if `das08_attach()` fails, but not
if `das08_attach_pci()` fails, leading to a possible NULL pointer
dereference.

Check `thisboard` at the top of `das08_detach()` and return early if it
is `NULL`.  This is okay because the only other thing that could have
been allocated is `dev->private` and that is freed by the comedi core,
not by this function.

Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
staging: comedi: fix memory leak for saved channel list 2012-10-07T15:39:31+00:00 Ian Abbott abbotti@mev.co.uk 2012-09-19T18:37:39+00:00 c8181245e0031c9edcc925407bc87a17b2a06271 commit c8cad4c89ee3b15935c532210ae6ebb5c0a2734d upstream. When `do_cmd_ioctl()` allocates memory for the kernel copy of a channel list, it frees any previously allocated channel list in `async->cmd.chanlist` and replaces it with the new one. However, if the device is ever removed (or "detached") the cleanup code in `cleanup_device()` in "drivers.c" does not free this memory so it is lost. A sensible place to free the kernel copy of the channel list is in `do_become_nonbusy()` as at that point the comedi asynchronous command associated with the channel list is no longer valid. Free the channel list in `do_become_nonbusy()` instead of `do_cmd_ioctl()` and clear the pointer to prevent it being freed more than once. Note that `cleanup_device()` could be called at an inappropriate time while the comedi device is open, but that's a separate bug not related to this this patch. Signed-off-by: Ian Abbott <abbotti@mev.co.uk> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
commit c8cad4c89ee3b15935c532210ae6ebb5c0a2734d upstream.

When `do_cmd_ioctl()` allocates memory for the kernel copy of a channel
list, it frees any previously allocated channel list in
`async->cmd.chanlist` and replaces it with the new one.  However, if the
device is ever removed (or "detached") the cleanup code in
`cleanup_device()` in "drivers.c" does not free this memory so it is
lost.

A sensible place to free the kernel copy of the channel list is in
`do_become_nonbusy()` as at that point the comedi asynchronous command
associated with the channel list is no longer valid.  Free the channel
list in `do_become_nonbusy()` instead of `do_cmd_ioctl()` and clear the
pointer to prevent it being freed more than once.

Note that `cleanup_device()` could be called at an inappropriate time
while the comedi device is open, but that's a separate bug not related
to this this patch.

Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
staging: comedi: don't dereference user memory for INSN_INTTRIG 2012-10-07T15:39:31+00:00 Ian Abbott abbotti@mev.co.uk 2012-09-18T18:46:58+00:00 4c68fab02c7b1ab1bba6abd3ac1ab06e72301128 commit 5d06e3df280bd230e2eadc16372e62818c63e894 upstream. `parse_insn()` is dereferencing the user-space pointer `insn->data` directly when handling the `INSN_INTTRIG` comedi instruction. It shouldn't be using `insn->data` at all; it should be using the separate `data` pointer passed to the function. Fix it. Signed-off-by: Ian Abbott <abbotti@mev.co.uk> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
commit 5d06e3df280bd230e2eadc16372e62818c63e894 upstream.

`parse_insn()` is dereferencing the user-space pointer `insn->data`
directly when handling the `INSN_INTTRIG` comedi instruction.  It
shouldn't be using `insn->data` at all; it should be using the separate
`data` pointer passed to the function.  Fix it.

Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
staging: comedi: jr3_pci: fix iomem dereference 2012-10-07T15:39:31+00:00 Ian Abbott abbotti@mev.co.uk 2012-09-27T16:45:27+00:00 22d0fff1579e4d040fe22100f4712391a3c0cf4a commit e1878957b4676a17cf398f7f5723b365e9a2ca48 upstream. Correct a direct dereference of I/O memory to use an appropriate I/O memory access function. Note that the pointer being dereferenced is not currently tagged with `__iomem` but I plan to correct that for 3.7. Signed-off-by: Ian Abbott <abbotti@mev.co.uk> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
commit e1878957b4676a17cf398f7f5723b365e9a2ca48 upstream.

Correct a direct dereference of I/O memory to use an appropriate I/O
memory access function.  Note that the pointer being dereferenced is not
currently tagged with `__iomem` but I plan to correct that for 3.7.

Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>