[PATCH] Fix Segfault in ni_atmio.c line 436 from Calin A. Culianu on 2003-05-19 (gmane.linux.comedi)

From: Calin A. Culianu <calin_at_ajvar.org>
Date: Mon, 19 May 2003 15:43:02 -0400 (EDT)
Here's the oops output: (scroll to bottom of this message as to what this
means)

d29b3997
*pde = 00000000
Oops: 0002
CPU:    0
EIP:    0010:[<d29b3997>]    Not tainted
Using defaults from ksymoops -t elf32-i386 -a i386
EFLAGS: 00010246
eax: c1379c00   ebx: 00000100   ecx: 00000000   edx: 00000000
esi: 00000005   edi: d1f4dc00   ebp: c8ba5eec   esp: c8ba5e84
ds: 0018   es: 0018   ss: 0018
Process comedi_config (pid: 2234, stackpage=c8ba5000)
Stack: c8ba5e98 d1ea30c8 00000133 d1a26c80 d1a26d24 c1379c00 d29b5340
d29b3eb9
       c8ba5ef5 c8ba5eec d29a7f59 d1f4dc00 c8ba5eec 000000d8 00000007
c0126baf
       c8ba5f14 c130aaf0 00000000 00000000 c8ba5eec d1f4dc00 d29a545c
d1f4dc00
Call Trace:    [<d29b5340>] [<d29b3eb9>] [<d29a7f59>] [<c0126baf>]
[<d29a545c>]   [<c0144925>] [<c01491b9>] [<c0109173>]
Code: 89 02 89 5c 24 08 0f b7 47 0c c7 04 24 3f 3f 9b d2 89 44 24


>>EIP; d29b3997 <[ni_atmio]ni_atmio_attach+47/1f0>   <=====

>>eax; c1379c00 <_end+10638b0/124f6d10>
>>edi; d1f4dc00 <_end+11c378b0/124f6d10>
>>ebp; c8ba5eec <_end+888fb9c/124f6d10>
>>esp; c8ba5e84 <_end+888fb34/124f6d10>

Trace; d29b5340 <[ni_atmio]driver_atmio+0/20>
Trace; d29b3eb9 <[ni_atmio]__module_description+19/24>
Trace; d29a7f59 <[comedi]comedi_device_attach+c9/1c0>
Trace; c0126baf <request_module+10f/1f0>
Trace; d29a545c <[comedi]do_devconfig_ioctl+10c/170>
Trace; c0144925 <path_release+15/40>
Trace; c01491b9 <sys_ioctl+b9/1c0>
Trace; c0109173 <system_call+47/4c>

Code;  d29b3997 <[ni_atmio]ni_atmio_attach+47/1f0>
00000000 <_EIP>:
Code;  d29b3997 <[ni_atmio]ni_atmio_attach+47/1f0>   <=====
   0:   89 02                     mov    %eax,(%edx)   <=====
Code;  d29b3999 <[ni_atmio]ni_atmio_attach+49/1f0>
   2:   89 5c 24 08               mov    %ebx,0x8(%esp,1)
Code;  d29b399d <[ni_atmio]ni_atmio_attach+4d/1f0>
   6:   0f b7 47 0c               movzwl 0xc(%edi),%eax
Code;  d29b39a1 <[ni_atmio]ni_atmio_attach+51/1f0>
   a:   c7 04 24 3f 3f 9b d2      movl   $0xd29b3f3f,(%esp,1)
Code;  d29b39a8 <[ni_atmio]ni_atmio_attach+58/1f0>
  11:   89 44 24 00               mov    %eax,0x0(%esp,1)



---

So I bothered to actually trace this oops output by looking at the
gcc assembly output of ni_atmio.c  -- the crash point corresponds to the
following code fragment in ni_atmio_attach (called as the result of a
comedi_config):

	{
		ret = ni_isapnp_find_board( &isapnp_dev );
		if( ret < 0 ) return ret;

#ifdef __ISAPNP__
		iobase = isapnp_dev->resource[0].start;
		irq = isapnp_dev->irq_resource[0].start;
		devpriv->isapnp_dev = isapnp_dev; // <-- this is the invalid crashing line
#else
		return -EIO;
#endif


The crash happens right when devpriv->isapnp_dev is assigned the
isapnp_dev pointer populated by ni_isapnp_find_board().

I can't tell for sure, but it appears that at this point in the function
devpriv is not yet allocated (it gets allocated later in the function
under a call to alloc_private()).  So I guess this is a typo/source bug.
Anyway I am submitting the following patch to fix this problem:


--- ni_atmio.c  2003-05-19 15:33:42.000000000 -0400
+++ ni_atmio_fixed.c    2003-05-19 15:33:31.000000000 -0400
_at__at_ -433,7 +433,6 _at__at_
 #ifdef __ISAPNP__
                iobase = isapnp_dev->resource[0].start;
                irq = isapnp_dev->irq_resource[0].start;
-               devpriv->isapnp_dev = isapnp_dev;
 #else
                return -EIO;
 #endif
_at__at_ -492,6 +491,8 _at__at_
        if((ret=alloc_private(dev,sizeof(ni_private)))<0)
                return ret;

+       devpriv->isapnp_dev = isapnp_dev; /* save the isapnp_dev ptr now */
+
        /* generic E series stuff in ni_mio_common.c */

        if( (ret=ni_E_init(dev,it))<0 ){
Attachments

TEXT/PLAIN attachment: ni_atmio_fix_segfault.patch
Received on 2003-05-19Z18:43:02