[PATCH 06/11] comedi: pcm711: Fix sanity check in interrupt handler

Next message: David Laight: "Re: [PATCH 1/1] sparc64: unify thread stack sizing and add explicit 32KB stack"
Previous message: Hans de Goede: "Re: [PATCH] HID: lg-g15: cancel pending work on remove to fix a use-after-free"
In reply to: Ian Abbott: "[PATCH 07/11] comedi: pcm816: Fix sanity check in interrupt handler"
Next in thread: Ian Abbott: "[PATCH 10/11] comedi: pcmuio: Add sanity check to interrupt handler"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Ian Abbott

Date: Thu Jun 18 2026 - 06:32:02 EST

The driver requests an interrupt handler for the device before it is
fully set up.

For safety, the interrupt handler checks the dev->attached flag to
ensure the device is fully set up, but it currently does that after
dereferencing the dev->read_dev pointer which may be NULL if
dev->attached is false. Move the check to avoid the possible null
pointer dereference.

Reported-by: Jaeyoung Chung <jjy600901@xxxxxxxxx>
Link: https://lore.kernel.org/lkml/20260610115912.780131-1-jjy600901@xxxxxxxxx/
Reported-by: Sangyun Kim <sangyun.kim@xxxxxxxxx>
Reported-by: Kyungwook Boo <bookyungwook@xxxxxxxxx>
Signed-off-by: Ian Abbott <abbotti@xxxxxxxxx>
---
drivers/comedi/drivers/pcl711.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/comedi/drivers/pcl711.c b/drivers/comedi/drivers/pcl711.c
index 5d2c4b2aa3bb6..8ad5789966f02 100644
--- a/drivers/comedi/drivers/pcl711.c
+++ b/drivers/comedi/drivers/pcl711.c
@@ -184,7 +184,7 @@ static irqreturn_t pcl711_interrupt(int irq, void *d)
{
struct comedi_device *dev = d;
struct comedi_subdevice *s = dev->read_subdev;
- struct comedi_cmd *cmd = &s->async->cmd;
+ struct comedi_cmd *cmd;
unsigned short data;

if (!dev->attached) {
@@ -192,6 +192,7 @@ static irqreturn_t pcl711_interrupt(int irq, void *d)
return IRQ_HANDLED;
}

+ cmd = &s->async->cmd;
data = pcl711_ai_get_sample(dev, s);

outb(PCL711_INT_STAT_CLR, dev->iobase + PCL711_INT_STAT_REG);
--
2.53.0