Commit 63ab0395 authored by Ian Abbott's avatar Ian Abbott Committed by Greg Kroah-Hartman

staging: comedi: make determination of read or write subdevice safer

`comedi_read_subdevice()` and `comedi_write_subdevice()` respectively
determine the read and write subdevice to use for a comedi device,
depending on a minor device number passed in.  The comedi device has a
main "board" minor device number and may also have dynamically assigned,
subdevice-specific minor device numbers, in a range of numbers shared by
all comedi devices.  If the minor device number is within the range of
subdevice-specific minor device numbers, both functions call
`comedi_subdevice_from_minor()` to determine what subdevice is
associated with the minor device number (if any) and then check the
subdevice belongs to the comedi device.  Since the subdevice might
belong to a different comedi device, the check is not protected against
the subdevice being freed.  Perform the check in
`comedi_subdevice_from_minor()` instead, where it is protected against
the subdevice being freed.  Make it return `NULL` if the subdevice does
not belong to the device.
Signed-off-by: default avatarIan Abbott <abbotti@mev.co.uk>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent 49445b91
...@@ -177,7 +177,7 @@ static void comedi_free_board_dev(struct comedi_device *dev) ...@@ -177,7 +177,7 @@ static void comedi_free_board_dev(struct comedi_device *dev)
} }
static struct comedi_subdevice static struct comedi_subdevice
*comedi_subdevice_from_minor(unsigned minor) *comedi_subdevice_from_minor(const struct comedi_device *dev, unsigned minor)
{ {
struct comedi_subdevice *s; struct comedi_subdevice *s;
unsigned int i = minor - COMEDI_NUM_BOARD_MINORS; unsigned int i = minor - COMEDI_NUM_BOARD_MINORS;
...@@ -185,6 +185,8 @@ static struct comedi_subdevice ...@@ -185,6 +185,8 @@ static struct comedi_subdevice
BUG_ON(i >= COMEDI_NUM_SUBDEVICE_MINORS); BUG_ON(i >= COMEDI_NUM_SUBDEVICE_MINORS);
mutex_lock(&comedi_subdevice_minor_table_lock); mutex_lock(&comedi_subdevice_minor_table_lock);
s = comedi_subdevice_minor_table[i]; s = comedi_subdevice_minor_table[i];
if (s && s->device != dev)
s = NULL;
mutex_unlock(&comedi_subdevice_minor_table_lock); mutex_unlock(&comedi_subdevice_minor_table_lock);
return s; return s;
} }
...@@ -229,10 +231,8 @@ comedi_read_subdevice(const struct comedi_device *dev, unsigned int minor) ...@@ -229,10 +231,8 @@ comedi_read_subdevice(const struct comedi_device *dev, unsigned int minor)
struct comedi_subdevice *s; struct comedi_subdevice *s;
if (minor >= COMEDI_NUM_BOARD_MINORS) { if (minor >= COMEDI_NUM_BOARD_MINORS) {
s = comedi_subdevice_from_minor(minor); s = comedi_subdevice_from_minor(dev, minor);
if (!s || s->device != dev) if (s == NULL || (s->subdev_flags & SDF_CMD_READ))
return NULL;
if (s->subdev_flags & SDF_CMD_READ)
return s; return s;
} }
return dev->read_subdev; return dev->read_subdev;
...@@ -244,10 +244,8 @@ comedi_write_subdevice(const struct comedi_device *dev, unsigned int minor) ...@@ -244,10 +244,8 @@ comedi_write_subdevice(const struct comedi_device *dev, unsigned int minor)
struct comedi_subdevice *s; struct comedi_subdevice *s;
if (minor >= COMEDI_NUM_BOARD_MINORS) { if (minor >= COMEDI_NUM_BOARD_MINORS) {
s = comedi_subdevice_from_minor(minor); s = comedi_subdevice_from_minor(dev, minor);
if (!s || s->device != dev) if (s == NULL || (s->subdev_flags & SDF_CMD_WRITE))
return NULL;
if (s->subdev_flags & SDF_CMD_WRITE)
return s; return s;
} }
return dev->write_subdev; return dev->write_subdev;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment