From edac7e58d4b28e03b5d76d83b8890469c5e83c6a Mon Sep 17 00:00:00 2001
From: Ian Abbott <abbotti@mev.co.uk>
Date: Tue, 18 Sep 2012 20:00:08 +0100
Subject: [PATCH] comedi_fops: fix user-memory dereference for INSN_INTTRIG

The parse_insn() function shouldn't dereference `insn->data` as that is
pointing to user-space memory.  It should deference the separate `data`
parameter instead, which points to a kernel copy of the data.  Only the
`INSN_INTTRIG` case needs fixing.  Fix it.

Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
---
 comedi/comedi_fops.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/comedi/comedi_fops.c b/comedi/comedi_fops.c
index 53d6acaf..d4e209db 100644
--- a/comedi/comedi_fops.c
+++ b/comedi/comedi_fops.c
@@ -882,7 +882,7 @@ static int parse_insn(comedi_device * dev, comedi_insn * insn, lsampl_t * data,
 				ret = -EAGAIN;
 				break;
 			}
-			ret = s->async->inttrig(dev, s, insn->data[0]);
+			ret = s->async->inttrig(dev, s, data[0]);
 			if (ret >= 0)
 				ret = 1;
 			break;
-- 
2.26.2