Some comedi drivers set dev->read_subdev or dev->write_subdev to a
subdevice that does not set asynchronous commands. This can cause a
NULL pointer dereference in comedi_read(), comedi_write(), or
comedi_poll() when they try to dereference s->async.
Test to make sure s->async is non-NULL.
Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
mask = 0;
read_subdev = comedi_get_read_subdevice(dev_file_info);
- if (read_subdev) {
+ if (read_subdev && read_subdev->async) {
poll_wait(file, &read_subdev->async->wait_head, wait);
if (!read_subdev->busy
|| comedi_buf_read_n_available(read_subdev->async) > 0
}
}
write_subdev = comedi_get_write_subdevice(dev_file_info);
- if (write_subdev) {
+ if (write_subdev && write_subdev->async) {
poll_wait(file, &write_subdev->async->wait_head, wait);
comedi_buf_write_alloc(write_subdev->async, write_subdev->async->prealloc_bufsz);
if (!write_subdev->busy
goto done;
}
async = s->async;
+ if (async == NULL) {
+ retval = -EIO;
+ goto done;
+ }
if (!nbytes) {
retval = 0;
goto done;
}
async = s->async;
+ if (async == NULL) {
+ retval = -EIO;
+ goto done;
+ }
if (!nbytes) {
retval = 0;
goto done;
projects / comedi.git / commitdiff