git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Ian Abbott <abbotti@mev.co.uk>
	Tue, 8 Jul 2025 13:06:27 +0000 (14:06 +0100)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Fri, 15 Aug 2025 10:04:50 +0000 (12:04 +0200)
commit	7dc9cd0585c22af97b2744feeec889d0c7a129a1
tree	86952fab83c5b8a27b8e20f1e99b4751fbd4833b	tree
parent	afc08b0b5587b553799bc375957706936a3e0088	commit \| diff

comedi: comedi_test: Fix possible deletion of uninitialized timers

commit 1b98304c09a0192598d0767f1eb8c83d7e793091 upstream.

In `waveform_common_attach()`, the two timers `&devpriv->ai_timer` and
`&devpriv->ao_timer` are initialized after the allocation of the device
private data by `comedi_alloc_devpriv()` and the subdevices by
`comedi_alloc_subdevices()`.  The function may return with an error
between those function calls.  In that case, `waveform_detach()` will be
called by the Comedi core to clean up.  The check that
`waveform_detach()` uses to decide whether to delete the timers is
incorrect.  It only checks that the device private data was allocated,
but that does not guarantee that the timers were initialized.  It also
needs to check that the subdevices were allocated.  Fix it.

Fixes: 73e0e4dfed4c ("staging: comedi: comedi_test: fix timer lock-up")
Cc: stable@vger.kernel.org # 6.15+
Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Link: https://lore.kernel.org/r/20250708130627.21743-1-abbotti@mev.co.uk
[ changed timer_delete_sync() to del_timer_sync() ]
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>