From: Guenter Roeck <linux@roeck-us.net>
To: Nadezda Lutovinova <lutovinova@ispras.ru>
Cc: Marc Hulsman <m.hulsman@tudelft.nl>,
Rudolf Marek <r.marek@assembler.cz>,
Jean Delvare <jdelvare@suse.com>,
linux-hwmon@vger.kernel.org, linux-kernel@vger.kernel.org,
ldv-project@linuxtesting.org
Subject: Re: [PATCH v2 3/3] hwmon: (w83793) Fix NULL pointer dereference by removing unnecessary structure field
Date: Sat, 2 Oct 2021 05:15:14 -0700 [thread overview]
Message-ID: <20211002121514.GA2263467@roeck-us.net> (raw)
In-Reply-To: <20210921155153.28098-3-lutovinova@ispras.ru>
On Tue, Sep 21, 2021 at 06:51:53PM +0300, Nadezda Lutovinova wrote:
> If driver read tmp value sufficient for
> (tmp & 0x08) && (!(tmp & 0x80)) && ((tmp & 0x7) == ((tmp >> 4) & 0x7))
> from device then Null pointer dereference occurs.
> (It is possible if tmp = 0b0xyz1xyz, where same literals mean same numbers)
> Also lm75[] does not serve a purpose anymore after switching to
> devm_i2c_new_dummy_device() in w83791d_detect_subclients().
>
> The patch fixes possible NULL pointer dereference by removing lm75[].
>
> Found by Linux Driver Verification project (linuxtesting.org).
>
> Signed-off-by: Nadezda Lutovinova <lutovinova@ispras.ru>
Applied, after fixing multi-line alignments
Thanks,
Guenter
> ---
> v2:
> - split one file per patch
> - remove lm75[] instead of adding checking
> ---
> drivers/hwmon/w83793.c | 29 ++++++++++++++---------------
> 1 file changed, 14 insertions(+), 15 deletions(-)
>
> diff --git a/drivers/hwmon/w83793.c b/drivers/hwmon/w83793.c
> index e7d0484eabe4..4ee96756ed49 100644
> --- a/drivers/hwmon/w83793.c
> +++ b/drivers/hwmon/w83793.c
> @@ -202,7 +202,6 @@ static inline s8 TEMP_TO_REG(long val, s8 min, s8 max)
> }
>
> struct w83793_data {
> - struct i2c_client *lm75[2];
> struct device *hwmon_dev;
> struct mutex update_lock;
> char valid; /* !=0 if following fields are valid */
> @@ -1566,7 +1565,6 @@ w83793_detect_subclients(struct i2c_client *client)
> int address = client->addr;
> u8 tmp;
> struct i2c_adapter *adapter = client->adapter;
> - struct w83793_data *data = i2c_get_clientdata(client);
>
> id = i2c_adapter_id(adapter);
> if (force_subclients[0] == id && force_subclients[1] == address) {
> @@ -1586,20 +1584,21 @@ w83793_detect_subclients(struct i2c_client *client)
> }
>
> tmp = w83793_read_value(client, W83793_REG_I2C_SUBADDR);
> +
> + if (!(tmp & 0x88) && (tmp & 0x7) == ((tmp >> 4) & 0x7)) {
> + dev_err(&client->dev,
> + "duplicate addresses 0x%x, use force_subclient\n",
> + 0x48 + (tmp & 0x7));
> + return -ENODEV;
> + }
> +
> if (!(tmp & 0x08))
> - data->lm75[0] = devm_i2c_new_dummy_device(&client->dev, adapter,
> - 0x48 + (tmp & 0x7));
> - if (!(tmp & 0x80)) {
> - if (!IS_ERR(data->lm75[0])
> - && ((tmp & 0x7) == ((tmp >> 4) & 0x7))) {
> - dev_err(&client->dev,
> - "duplicate addresses 0x%x, "
> - "use force_subclients\n", data->lm75[0]->addr);
> - return -ENODEV;
> - }
> - data->lm75[1] = devm_i2c_new_dummy_device(&client->dev, adapter,
> - 0x48 + ((tmp >> 4) & 0x7));
> - }
> + devm_i2c_new_dummy_device(&client->dev, adapter,
> + 0x48 + (tmp & 0x7));
> +
> + if (!(tmp & 0x80))
> + devm_i2c_new_dummy_device(&client->dev, adapter,
> + 0x48 + ((tmp >> 4) & 0x7));
>
> return 0;
> }
next prev parent reply other threads:[~2021-10-02 12:15 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-11 16:15 hwmon: Error handling in w83793.c, w83791d.c, w83792d.c Nadezda Lutovinova
2021-08-11 16:15 ` [PATCH] hwmon: Correct the error " Nadezda Lutovinova
2021-08-11 18:18 ` Guenter Roeck
2021-09-21 15:51 ` [PATCH v2 1/3] hwmon: (w83791d) Fix NULL pointer dereference by removing unnecessary structure field Nadezda Lutovinova
2021-10-02 12:07 ` Guenter Roeck
2021-09-21 15:51 ` [PATCH v2 2/3] hwmon: (w83792d) " Nadezda Lutovinova
2021-10-02 12:12 ` Guenter Roeck
2021-09-21 15:51 ` [PATCH v2 3/3] hwmon: (w83793) " Nadezda Lutovinova
2021-10-02 12:15 ` Guenter Roeck [this message]
2021-08-11 17:51 ` hwmon: Error handling in w83793.c, w83791d.c, w83792d.c Guenter Roeck
2021-08-11 18:19 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20211002121514.GA2263467@roeck-us.net \
--to=linux@roeck-us.net \
--cc=jdelvare@suse.com \
--cc=ldv-project@linuxtesting.org \
--cc=linux-hwmon@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=lutovinova@ispras.ru \
--cc=m.hulsman@tudelft.nl \
--cc=r.marek@assembler.cz \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.