mirror of
https://github.com/torvalds/linux
synced 2024-10-09 21:05:10 +00:00
bafd9c6405
`ni_cdio_cmdtest()` validates Comedi asynchronous commands for the DIO
subdevice (subdevice 2) of supported National Instruments M-series
cards. It is called when handling the `COMEDI_CMD` and `COMEDI_CMDTEST`
ioctls for this subdevice. There are two causes for a possible
divide-by-zero error when validating that the `stop_arg` member of the
passed-in command is not too large.
The first cause for the divide-by-zero is that calls to
`comedi_bytes_per_scan()` are only valid once the command has been
copied to `s->async->cmd`, but that copy is only done for the
`COMEDI_CMD` ioctl. For the `COMEDI_CMDTEST` ioctl, it will use
whatever was left there by the previous `COMEDI_CMD` ioctl, if any.
(This is very likely, as it is usual for the application to use
`COMEDI_CMDTEST` before `COMEDI_CMD`.) If there has been no previous,
valid `COMEDI_CMD` for this subdevice, then `comedi_bytes_per_scan()`
will return 0, so the subsequent division in `ni_cdio_cmdtest()` of
`s->async->prealloc_bufsz / comedi_bytes_per_scan(s)` will be a
divide-by-zero error. To fix this error, call a new function
`comedi_bytes_per_scan_cmd(s, cmd)`, based on the existing
`comedi_bytes_per_scan(s)` but using a specified `struct comedi_cmd` for
its calculations. (Also refactor `comedi_bytes_per_scan()` to call the
new function.)
Once the first cause for the divide-by-zero has been fixed, the second
cause is that `comedi_bytes_per_scan_cmd()` can legitimately return 0 if
the `scan_end_arg` member of the `struct comedi_cmd` being tested is 0.
Fix it by only performing the division (and validating that `stop_arg`
is no more than the maximum value) if `comedi_bytes_per_scan_cmd()`
returns a non-zero value.
The problem was reported on the COMEDI mailing list here:
https://groups.google.com/forum/#!topic/comedi_list/4t9WlHzMhKM
Reported-by: Ivan Vasilyev <grabesstimme@gmail.com>
Tested-by: Ivan Vasilyev <grabesstimme@gmail.com>
Fixes:
|
||
|---|---|---|
| .. | ||
| android | ||
| axis-fifo | ||
| board | ||
| clocking-wizard | ||
| comedi | ||
| emxx_udc | ||
| erofs | ||
| fbtft | ||
| fsl-dpaa2 | ||
| fwserial | ||
| gasket | ||
| gdm724x | ||
| goldfish | ||
| greybus | ||
| gs_fpgaboot | ||
| iio | ||
| ks7010 | ||
| media | ||
| most | ||
| mt7621-dma | ||
| mt7621-dts | ||
| mt7621-mmc | ||
| mt7621-pci | ||
| mt7621-pci-phy | ||
| mt7621-pinctrl | ||
| mt7621-spi | ||
| netlogic | ||
| nvec | ||
| octeon | ||
| octeon-usb | ||
| olpc_dcon | ||
| pi433 | ||
| ralink-gdma | ||
| rtl8188eu | ||
| rtl8192e | ||
| rtl8192u | ||
| rtl8712 | ||
| rtl8723bs | ||
| rtlwifi | ||
| rts5208 | ||
| sm750fb | ||
| speakup | ||
| unisys | ||
| vboxvideo | ||
| vc04_services | ||
| vme | ||
| vt6655 | ||
| vt6656 | ||
| wilc1000 | ||
| wlan-ng | ||
| Kconfig | ||
| Makefile | ||