Re: [PATCH] i2c: tegra: fix a possible NULL dereference

From: Thierry Reding <thierry.reding-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
To: "Uwe Kleine-König"
	<u.kleine-koenig-bIcnvbaLZ9MEGnE8C9+IrQ@public.gmane.org>
Cc: LABBE Corentin
	<montjoie.mailing-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>,
	LABBE Corentin
	<clabbe.montjoie-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>,
	gnurou-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org,
	ldewangan-DDmLM1+adcrQT0dZR+AlfA@public.gmane.org,
	swarren-3lzwWm7+Weoh9ZMKESR00Q@public.gmane.org,
	wsa-z923LK4zBo2bacvFa/9K2g@public.gmane.org,
	linux-i2c-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
	linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
	linux-tegra-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
Subject: Re: [PATCH] i2c: tegra: fix a possible NULL dereference
Date: Thu, 12 Nov 2015 14:55:00 +0100	[thread overview]
Message-ID: <20151112135500.GA1131@ulmo> (raw)
In-Reply-To: <20151112134519.GJ24008-bIcnvbaLZ9MEGnE8C9+IrQ@public.gmane.org>

[-- Attachment #1: Type: text/plain, Size: 2632 bytes --]

On Thu, Nov 12, 2015 at 02:45:20PM +0100, Uwe Kleine-König wrote:
> On Thu, Nov 12, 2015 at 02:28:37PM +0100, Thierry Reding wrote:
> > On Thu, Nov 12, 2015 at 01:54:22PM +0100, LABBE Corentin wrote:
> > > On Thu, Nov 12, 2015 at 01:29:23PM +0100, Thierry Reding wrote:
> > > > On Thu, Nov 12, 2015 at 08:26:03AM +0100, LABBE Corentin wrote:
> > > > > of_match_device could return NULL, and so cause a NULL pointer
> > > > 
> > > > No. There is no way that of_match_device() can ever fail. The driver
> > > > core uses the same table to match the OF device to the driver, so the
> > > > only case where of_match_device() would return NULL is if no match was
> > > > found, in which case the tegra_i2c_probe() function would never have
> > > > been called in the first place.
> > > > 
> > > > Thierry
> > > > 
> > > 
> > > In a parallel thread for i2c-rcar, the conclusion was different.
> > > https://lkml.org/lkml/2015/11/12/83
> > 
> > The conclusion was the same: there should be no case where this happens.
> > The example that Uwe gave is hypothetical and not valid DT in the first
> > place. So instead of chickening out I think it'd be better to just crash
> > to make sure people fix the DT.
> 
> It depends in your trust in the DT. Just because it's not advisable to
> do something that is not documented usually isn't a good excuse to not
> handle broken input. That't the case for webserver requests, arguments
> to system calls and several more. I admit DT is a bit special because
> you have to assume it's trusted, but still handling errors in a sane way
> is IMHO nice.

Given that it's supposed to be provided by firmware and possibly from a
ROM, crashing might be a better motivation for fixing it than erroring
out, which people might just ignore or not notice until it's too late.

> > On a side-note I think that platform_match() should be stricter and do
> > something like this instead:
> > 
> > 	if (dev->of_node) {
> > 		if (of_driver_match_device(dev, drv))
> > 			return 1;
> > 
> > 		return 0;
> > 	}
> That's equivalent to
> 
> 	if (dev->of_node)
> 		return of_driver_match_device(dev, drv);
> 
> and was already suggested in the thread referenced from my reply to
> http://article.gmane.org/gmane.linux.kernel/2083641 :-)

Ah, too many cross-reference =) FWIW:

Acked-by: Thierry Reding <treding-DDmLM1+adcrQT0dZR+AlfA@public.gmane.org>

If we want to gracefully handle this, then let's do it in the core by
making sure that drivers where it would return NULL are never probed,
rather than coding this check in every single driver.

Thierry

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]