From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 29 Jul 2025 14:52:35 +0000 (+0200)
Subject: 5.4-stable patches
X-Git-Tag: v6.6.101~21
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=060166d1c5b996b4dd649ea9f1c5122608c76d58;p=thirdparty%2Fkernel%2Fstable-queue.git

5.4-stable patches

added patches:
	comedi-comedi_test-fix-possible-deletion-of-uninitialized-timers.patch
---

diff --git a/queue-5.4/comedi-comedi_test-fix-possible-deletion-of-uninitialized-timers.patch b/queue-5.4/comedi-comedi_test-fix-possible-deletion-of-uninitialized-timers.patch
new file mode 100644
index 0000000000..9d8090b584
--- /dev/null
+++ b/queue-5.4/comedi-comedi_test-fix-possible-deletion-of-uninitialized-timers.patch
@@ -0,0 +1,42 @@
+From 1b98304c09a0192598d0767f1eb8c83d7e793091 Mon Sep 17 00:00:00 2001
+From: Ian Abbott <abbotti@mev.co.uk>
+Date: Tue, 8 Jul 2025 14:06:27 +0100
+Subject: comedi: comedi_test: Fix possible deletion of uninitialized timers
+
+From: Ian Abbott <abbotti@mev.co.uk>
+
+commit 1b98304c09a0192598d0767f1eb8c83d7e793091 upstream.
+
+In `waveform_common_attach()`, the two timers `&devpriv->ai_timer` and
+`&devpriv->ao_timer` are initialized after the allocation of the device
+private data by `comedi_alloc_devpriv()` and the subdevices by
+`comedi_alloc_subdevices()`.  The function may return with an error
+between those function calls.  In that case, `waveform_detach()` will be
+called by the Comedi core to clean up.  The check that
+`waveform_detach()` uses to decide whether to delete the timers is
+incorrect.  It only checks that the device private data was allocated,
+but that does not guarantee that the timers were initialized.  It also
+needs to check that the subdevices were allocated.  Fix it.
+
+Fixes: 73e0e4dfed4c ("staging: comedi: comedi_test: fix timer lock-up")
+Cc: stable@vger.kernel.org # 6.15+
+Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
+Link: https://lore.kernel.org/r/20250708130627.21743-1-abbotti@mev.co.uk
+[ file location from drivers/comedi to drivers/staging/comedi and timer_delete_sync() to del_timer_sync(). ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/comedi/drivers/comedi_test.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/staging/comedi/drivers/comedi_test.c
++++ b/drivers/staging/comedi/drivers/comedi_test.c
+@@ -790,7 +790,7 @@ static void waveform_detach(struct comed
+ {
+ 	struct waveform_private *devpriv = dev->private;
+ 
+-	if (devpriv) {
++	if (devpriv && dev->n_subdevices) {
+ 		del_timer_sync(&devpriv->ai_timer);
+ 		del_timer_sync(&devpriv->ao_timer);
+ 	}
diff --git a/queue-5.4/series b/queue-5.4/series
index 6ae1dff853..798284a535 100644
--- a/queue-5.4/series
+++ b/queue-5.4/series
@@ -59,3 +59,4 @@ net-appletalk-fix-use-after-free-in-aarp-proxy-probe.patch
 net-sched-sch_qfq-avoid-triggering-might_sleep-in-at.patch
 i2c-qup-jump-out-of-the-loop-in-case-of-timeout.patch
 nilfs2-reject-invalid-file-types-when-reading-inodes.patch
+comedi-comedi_test-fix-possible-deletion-of-uninitialized-timers.patch