[ Sasha's backport helper bot ]
Hi,
✅ All tests passed successfully. No issues detected. No action required from the submitter.
The upstream commit SHA1 provided is correct: 46d8c744136ce2454aa4c35c138cc06817f92b8e
Status in newer kernel trees: 6.15.y | Not found 6.12.y | Not found 6.6.y | Not found 6.1.y | Not found 5.15.y | Not found 5.10.y | Not found
Note: The patch differs from the upstream commit: --- 1: 46d8c744136c ! 1: 8293aa18dbe9 comedi: Fix initialization of data for instructions that write to subdevice @@ Metadata ## Commit message ## comedi: Fix initialization of data for instructions that write to subdevice
+ [ Upstream commit 46d8c744136ce2454aa4c35c138cc06817f92b8e ] + Some Comedi subdevice instruction handlers are known to access instruction data elements beyond the first `insn->n` elements in some cases. The `do_insn_ioctl()` and `do_insnlist_ioctl()` functions @@ Commit message Signed-off-by: Ian Abbott abbotti@mev.co.uk Link: https://lore.kernel.org/r/20250707161439.88385-1-abbotti@mev.co.uk Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org + [ Reworked for before commit bac42fb21259 ("comedi: get rid of compat_alloc_user_space() mess in COMEDI_CMD{,TEST} compat") ] + Signed-off-by: Ian Abbott abbotti@mev.co.uk
- ## drivers/comedi/comedi_fops.c ## -@@ drivers/comedi/comedi_fops.c: static int do_insnlist_ioctl(struct comedi_device *dev, + ## drivers/staging/comedi/comedi_fops.c ## +@@ drivers/staging/comedi/comedi_fops.c: static int do_insnlist_ioctl(struct comedi_device *dev, }
- for (i = 0; i < n_insns; ++i) { + for (i = 0; i < insnlist.n_insns; ++i) { + unsigned int n = insns[i].n; + if (insns[i].insn & INSN_MASK_WRITE) { @@ drivers/comedi/comedi_fops.c: static int do_insnlist_ioctl(struct comedi_device dev_dbg(dev->class_dev, "copy_to_user failed\n"); ret = -EFAULT; -@@ drivers/comedi/comedi_fops.c: static int do_insn_ioctl(struct comedi_device *dev, +@@ drivers/staging/comedi/comedi_fops.c: static int do_insn_ioctl(struct comedi_device *dev, ret = -EFAULT; goto error; } -+ if (insn->n < MIN_SAMPLES) { -+ memset(&data[insn->n], 0, -+ (MIN_SAMPLES - insn->n) * sizeof(unsigned int)); ++ if (insn.n < MIN_SAMPLES) { ++ memset(&data[insn.n], 0, ++ (MIN_SAMPLES - insn.n) * sizeof(unsigned int)); + } } - ret = parse_insn(dev, insn, data, file); + ret = parse_insn(dev, &insn, data, file); if (ret < 0)
---
Results of testing on various branches:
| Branch | Patch Apply | Build Test | |---------------------------|-------------|------------| | origin/linux-5.4.y | Success | Success |