[PATCH 07/11] comedi: pcm816: Fix sanity check in interrupt handler

Next message: Greg Kroah-Hartman: "Re: [Bug]KASAN: slab-use-after-free Read in iowarrior_release"
Previous message: Sechang Lim: "[PATCH bpf v3 2/2] selftests/bpf: test rejection of a packet-modifying SK_SKB stream parser"
In reply to: Ian Abbott: "[PATCH 09/11] comedi: pcmmio: Add sanity check to interrupt handler"
Next in thread: Ian Abbott: "[PATCH 06/11] comedi: pcm711: Fix sanity check in interrupt handler"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Ian Abbott

Date: Thu Jun 18 2026 - 06:31:38 EST

The driver requests an interrupt handler for the device before it is
fully set up.

For safety, the interrupt handler checks the dev->attached flag to
ensure the device is fully set up, but it currently does that after
dereferencing the devpriv->dma pointer which may be NULL if
dev->attached is false. Move the dereference of the devpriv->dma
pointer after dev->attached has been checked to avoid the possible null
pointer dereference.

Signed-off-by: Ian Abbott <abbotti@xxxxxxxxx>
---
drivers/comedi/drivers/pcl816.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/comedi/drivers/pcl816.c b/drivers/comedi/drivers/pcl816.c
index 1fcb2f798c7a5..b0d30cb1cfe9e 100644
--- a/drivers/comedi/drivers/pcl816.c
+++ b/drivers/comedi/drivers/pcl816.c
@@ -242,7 +242,7 @@ static irqreturn_t pcl816_interrupt(int irq, void *d)
struct comedi_subdevice *s = dev->read_subdev;
struct pcl816_private *devpriv = dev->private;
struct comedi_isadma *dma = devpriv->dma;
- struct comedi_isadma_desc *desc = &dma->desc[dma->cur_dma];
+ struct comedi_isadma_desc *desc;
unsigned int nsamples;
unsigned int bufptr;

@@ -257,6 +257,7 @@ static irqreturn_t pcl816_interrupt(int irq, void *d)
return IRQ_HANDLED;
}

+ desc = &dma->desc[dma->cur_dma];
nsamples = comedi_bytes_to_samples(s, desc->size) -
devpriv->ai_poll_ptr;
bufptr = devpriv->ai_poll_ptr;
--
2.53.0