From cb4dd573e72bb5307877ae940a5747f0f16ef4d9 Mon Sep 17 00:00:00 2001
From: Ian Abbott <abbotti@mev.co.uk>
Date: Thu, 15 Dec 2011 18:01:39 +0000
Subject: [PATCH] comedi/drivers.c: handle insn->n == 0 in insn_rw_emulate_bits

A recent change to do_insnlist_ioctl() and do_insn_ioctl() to handle
arbitrary limits on means that the 'data' pointer will now be NULL when
insn->n == 0.  Need to check insn->n is non-zero before accessing *data.

Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
---
 comedi/drivers.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/comedi/drivers.c b/comedi/drivers.c
index 66bd91cf..33042672 100644
--- a/comedi/drivers.c
+++ b/comedi/drivers.c
@@ -350,11 +350,17 @@ static int insn_rw_emulate_bits(comedi_device * dev, comedi_subdevice * s,
 	comedi_insn new_insn;
 	int ret;
 	static const unsigned channels_per_bitfield = 32;
-
 	unsigned chan = CR_CHAN(insn->chanspec);
 	const unsigned base_bitfield_channel =
 		(chan < channels_per_bitfield) ? 0 : chan;
 	lsampl_t new_data[2];
+
+	if ((insn->insn == INSN_WRITE) && !(s->subdev_flags & SDF_WRITABLE))
+		return -EINVAL;
+
+	if (insn->n == 0) 
+		return 0;
+
 	memset(new_data, 0, sizeof(new_data));
 	memset(&new_insn, 0, sizeof(new_insn));
 	new_insn.insn = INSN_BITS;
@@ -364,8 +370,6 @@ static int insn_rw_emulate_bits(comedi_device * dev, comedi_subdevice * s,
 	new_insn.subdev = insn->subdev;
 
 	if (insn->insn == INSN_WRITE) {
-		if (!(s->subdev_flags & SDF_WRITABLE))
-			return -EINVAL;
 		new_data[0] = 1 << (chan - base_bitfield_channel);	/* mask */
 		new_data[1] = data[0] ? (1 << (chan - base_bitfield_channel)) : 0;	/* bits */
 	}
-- 
2.26.2