1. Patchew
  2. linux
  3. View series

[PATCH] [PATCH] comedi: check for NULL get_valid_routes function pointer

Prabhakar Pujeri posted 1 patch 2 months, 2 weeks ago 
drivers/comedi/comedi_fops.c | 5 +++++
1 file changed, 5 insertions(+)
[PATCH] [PATCH] comedi: check for NULL get_valid_routes function pointer
Posted by Prabhakar Pujeri 2 months, 2 weeks ago 
From: Super User <root@localhost.localdomain>

The function get_valid_routes() calls the low-level driver's
dev->get_valid_routes() callback directly without checking if it is
set. If this function pointer is NULL, the kernel crashes with a
NULL instruction pointer dereference.

This patch adds a check to ensure the callback is present before
calling it, and returns -EINVAL if it is missing.

This prevents a kernel crash when user space invokes an ioctl that
results in get_valid_routes() being called on drivers that do not
implement the callback.

Reported-by: syzbot+ab8008c24e84adee93ff@syzkaller.appspotmail.com
Signed-off-by: Prabhakar Pujeri <prabhakar.pujeri@gmail.com>
---
 drivers/comedi/comedi_fops.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/drivers/comedi/comedi_fops.c b/drivers/comedi/comedi_fops.c
index 3383a7ce27ff..2b8cb280287b 100644
--- a/drivers/comedi/comedi_fops.c
+++ b/drivers/comedi/comedi_fops.c
@@ -1302,6 +1302,11 @@ static int check_insn_device_config_length(struct comedi_insn *insn,
 static int get_valid_routes(struct comedi_device *dev, unsigned int *data)
 {
 	lockdep_assert_held(&dev->mutex);
+	if (!dev->get_valid_routes) {
+		dev_warn(dev->class_dev ?: dev->hw_dev,
+				"get_valid_routes() not implemented\n");
+		return -EINVAL;
+	}
 	data[1] = dev->get_valid_routes(dev, data[1], data + 2);
 	return 0;
 }
-- 
2.50.1
Re: [PATCH] [PATCH] comedi: check for NULL get_valid_routes function pointer
Posted by Ian Abbott 2 months, 2 weeks ago 
On 20/07/2025 08:33, Prabhakar Pujeri wrote:
> From: Super User <root@localhost.localdomain>

I don't know why you added a "From:" line, but its details are bogus.

> The function get_valid_routes() calls the low-level driver's
> dev->get_valid_routes() callback directly without checking if it is
> set. If this function pointer is NULL, the kernel crashes with a
> NULL instruction pointer dereference.
> 
> This patch adds a check to ensure the callback is present before
> calling it, and returns -EINVAL if it is missing.
> 
> This prevents a kernel crash when user space invokes an ioctl that
> results in get_valid_routes() being called on drivers that do not
> implement the callback.

That's a reasonable guess, but the callback shouldn't be missing.  If 
the low-level driver does not set it, then the 
__comedi_device_postconfig(dev) call in "drivers.c" will set it to the 
address of the get_zero_valid_routes function.

> 
> Reported-by: syzbot+ab8008c24e84adee93ff@syzkaller.appspotmail.com
> Signed-off-by: Prabhakar Pujeri <prabhakar.pujeri@gmail.com>
> ---
>   drivers/comedi/comedi_fops.c | 5 +++++
>   1 file changed, 5 insertions(+)
> 
> diff --git a/drivers/comedi/comedi_fops.c b/drivers/comedi/comedi_fops.c
> index 3383a7ce27ff..2b8cb280287b 100644
> --- a/drivers/comedi/comedi_fops.c
> +++ b/drivers/comedi/comedi_fops.c
> @@ -1302,6 +1302,11 @@ static int check_insn_device_config_length(struct comedi_insn *insn,
>   static int get_valid_routes(struct comedi_device *dev, unsigned int *data)
>   {
>   	lockdep_assert_held(&dev->mutex);
> +	if (!dev->get_valid_routes) {
> +		dev_warn(dev->class_dev ?: dev->hw_dev,
> +				"get_valid_routes() not implemented\n");
> +		return -EINVAL;
> +	}
>   	data[1] = dev->get_valid_routes(dev, data[1], data + 2);
>   	return 0;
>   }


-- 
-=( Ian Abbott <abbotti@mev.co.uk> || MEV Ltd. is a company  )=-
-=( registered in England & Wales.  Regd. number: 02862268.  )=-
-=( Regd. addr.: S11 & 12 Building 67, Europa Business Park, )=-
-=( Bird Hall Lane, STOCKPORT, SK3 0XA, UK. || www.mev.co.uk )=-
Re: [PATCH] [PATCH] comedi: check for NULL get_valid_routes function pointer
Posted by Greg KH 2 months, 2 weeks ago 
On Sun, Jul 20, 2025 at 02:33:50AM -0500, Prabhakar Pujeri wrote:
> From: Super User <root@localhost.localdomain>

I don't think you have your git setup properly :(

And look at the subject line, two "[PATCH]"?

> The function get_valid_routes() calls the low-level driver's
> dev->get_valid_routes() callback directly without checking if it is
> set. If this function pointer is NULL, the kernel crashes with a
> NULL instruction pointer dereference.
> 
> This patch adds a check to ensure the callback is present before
> calling it, and returns -EINVAL if it is missing.
> 
> This prevents a kernel crash when user space invokes an ioctl that
> results in get_valid_routes() being called on drivers that do not
> implement the callback.
> 
> Reported-by: syzbot+ab8008c24e84adee93ff@syzkaller.appspotmail.com

Was this tested?  If so, please provide that information.

> Signed-off-by: Prabhakar Pujeri <prabhakar.pujeri@gmail.com>
> ---
>  drivers/comedi/comedi_fops.c | 5 +++++
>  1 file changed, 5 insertions(+)
> 
> diff --git a/drivers/comedi/comedi_fops.c b/drivers/comedi/comedi_fops.c
> index 3383a7ce27ff..2b8cb280287b 100644
> --- a/drivers/comedi/comedi_fops.c
> +++ b/drivers/comedi/comedi_fops.c
> @@ -1302,6 +1302,11 @@ static int check_insn_device_config_length(struct comedi_insn *insn,
>  static int get_valid_routes(struct comedi_device *dev, unsigned int *data)
>  {
>  	lockdep_assert_held(&dev->mutex);
> +	if (!dev->get_valid_routes) {
> +		dev_warn(dev->class_dev ?: dev->hw_dev,
> +				"get_valid_routes() not implemented\n");

Why are you allowing userspace to flood the kernel log?  If this is
something that userspace can trigger, it needs to be handled much
better.

thanks,

greg k-h

Patchew 2.1-devel-b67e4c2

© 2016 - 2025 Red Hat, Inc.