From: Guenter Roeck <linux@roeck-us.net>
To: Nadezda Lutovinova <lutovinova@ispras.ru>
Cc: Marc Hulsman <m.hulsman@tudelft.nl>,
Jean Delvare <jdelvare@suse.com>,
Rudolf Marek <r.marek@assembler.cz>,
linux-hwmon@vger.kernel.org, linux-kernel@vger.kernel.org,
ldv-project@linuxtesting.org
Subject: Re: hwmon: Error handling in w83793.c, w83791d.c, w83792d.c
Date: Wed, 11 Aug 2021 10:51:20 -0700 [thread overview]
Message-ID: <20210811175120.GA3138792@roeck-us.net> (raw)
In-Reply-To: <20210811161515.17842-1-lutovinova@ispras.ru>
On Wed, Aug 11, 2021 at 07:15:14PM +0300, Nadezda Lutovinova wrote:
> In w83793_detect_subclients(): if driver read tmp value sufficient for
> (tmp & 0x08) && (!(tmp & 0x80)) && ((tmp & 0x7) == ((tmp >> 4) & 0x7))
> from device then Null pointer dereference occurs.
> (It is possible if tmp = 0b0xyz1xyz, where same chars mean same numbers).
>
> It can be fixed just by adding a checking for null pointer, patch for
> this is in the next letter. But a question arised:
> The array w83793_data->lm75 is used once in this function after switching
> to devm_i2c_new_dummy_device() instead of i2c_new_dummy(). And this
> function is called once (from w83793_probe()). Maybe this array should be
> deleted from struct w83793_data?
>
That is part of it. However, the entire code is wrong. There is no need
to check for I2C address overlap in the first place, and the i2c address
for the second 'virtual' chip should start with 0x4c, not with 0x48.
See w83793g/w83793ag datasheet, section 8.3.2.2.
I assume the code was copied from w83791d and w83792d, where the addresses
can indeed overlap.
Guenter
> The same situation in w83791d.c and in w83792d.
>
> Found by Linux Driver Verification project (linuxtesting.org).
>
> Signed-off-by: Nadezda Lutovinova <lutovinova@ispras.ru>
next prev parent reply other threads:[~2021-08-11 17:52 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-11 16:15 hwmon: Error handling in w83793.c, w83791d.c, w83792d.c Nadezda Lutovinova
2021-08-11 16:15 ` [PATCH] hwmon: Correct the error " Nadezda Lutovinova
2021-08-11 18:18 ` Guenter Roeck
2021-09-21 15:51 ` [PATCH v2 1/3] hwmon: (w83791d) Fix NULL pointer dereference by removing unnecessary structure field Nadezda Lutovinova
2021-10-02 12:07 ` Guenter Roeck
2021-09-21 15:51 ` [PATCH v2 2/3] hwmon: (w83792d) " Nadezda Lutovinova
2021-10-02 12:12 ` Guenter Roeck
2021-09-21 15:51 ` [PATCH v2 3/3] hwmon: (w83793) " Nadezda Lutovinova
2021-10-02 12:15 ` Guenter Roeck
2021-08-11 17:51 ` Guenter Roeck [this message]
2021-08-11 18:19 ` hwmon: Error handling in w83793.c, w83791d.c, w83792d.c Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210811175120.GA3138792@roeck-us.net \
--to=linux@roeck-us.net \
--cc=jdelvare@suse.com \
--cc=ldv-project@linuxtesting.org \
--cc=linux-hwmon@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=lutovinova@ispras.ru \
--cc=m.hulsman@tudelft.nl \
--cc=r.marek@assembler.cz \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).