linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH] input: synaptics-rmi4: check for null rmi_dev before it is dereferenced
@ 2016-12-20 10:07 Colin King
  2016-12-20 21:22 ` Dmitry Torokhov
  0 siblings, 1 reply; 3+ messages in thread
From: Colin King @ 2016-12-20 10:07 UTC (permalink / raw)
  To: Dmitry Torokhov, Andrew Duggan, Benjamin Tissoires, Lyude Paul,
	Dennis Wassenberg, linux-input
  Cc: linux-kernel

From: Colin Ian King <colin.king@canonical.com>

rmi_dev is currently being dereferenced before it null checked, so we
have a potential null pointer dereference issue with this.  Fix this
by dereferencing rmi_dev after a null check has been performed.

Fixes CoverityScan CID 1391218 ("Dereference before null check")

Signed-off-by: Colin Ian King <colin.king@canonical.com>
---
 drivers/input/rmi4/rmi_f03.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/input/rmi4/rmi_f03.c b/drivers/input/rmi4/rmi_f03.c
index 8a7ca3e..008f42a 100644
--- a/drivers/input/rmi4/rmi_f03.c
+++ b/drivers/input/rmi4/rmi_f03.c
@@ -164,7 +164,7 @@ static int rmi_f03_config(struct rmi_function *fn)
 static int rmi_f03_attention(struct rmi_function *fn, unsigned long *irq_bits)
 {
 	struct rmi_device *rmi_dev = fn->rmi_dev;
-	struct rmi_driver_data *drvdata = dev_get_drvdata(&rmi_dev->dev);
+	struct rmi_driver_data *drvdata;
 	struct f03_data *f03 = dev_get_drvdata(&fn->dev);
 	u16 data_addr = fn->fd.data_base_addr;
 	const u8 ob_len = f03->rx_queue_length * RMI_F03_OB_SIZE;
@@ -178,6 +178,7 @@ static int rmi_f03_attention(struct rmi_function *fn, unsigned long *irq_bits)
 	if (!rmi_dev)
 		return -ENODEV;
 
+	drvdata = dev_get_drvdata(&rmi_dev->dev);
 	if (drvdata->attn_data.data) {
 		/* First grab the data passed by the transport device */
 		if (drvdata->attn_data.size < ob_len) {
-- 
2.10.2

^ permalink raw reply related	[flat|nested] 3+ messages in thread
* Re: [PATCH] input: synaptics-rmi4: check for null rmi_dev before it is dereferenced
  2016-12-20 10:07 [PATCH] input: synaptics-rmi4: check for null rmi_dev before it is dereferenced Colin King
@ 2016-12-20 21:22 ` Dmitry Torokhov
  2016-12-21 14:41   ` Colin Ian King
  0 siblings, 1 reply; 3+ messages in thread
From: Dmitry Torokhov @ 2016-12-20 21:22 UTC (permalink / raw)
  To: Colin King
  Cc: Andrew Duggan, Benjamin Tissoires, Lyude Paul, Dennis Wassenberg,
	linux-input, linux-kernel

Hi Colin,

On Tue, Dec 20, 2016 at 10:07:50AM +0000, Colin King wrote:
> From: Colin Ian King <colin.king@canonical.com>
> 
> rmi_dev is currently being dereferenced before it null checked, so we
> have a potential null pointer dereference issue with this.  Fix this
> by dereferencing rmi_dev after a null check has been performed.
> 
> Fixes CoverityScan CID 1391218 ("Dereference before null check")

I'd rather we removed the NULL check instead. As far as I can see it
can't even be NULL.

> 
> Signed-off-by: Colin Ian King <colin.king@canonical.com>
> ---
>  drivers/input/rmi4/rmi_f03.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/input/rmi4/rmi_f03.c b/drivers/input/rmi4/rmi_f03.c
> index 8a7ca3e..008f42a 100644
> --- a/drivers/input/rmi4/rmi_f03.c
> +++ b/drivers/input/rmi4/rmi_f03.c
> @@ -164,7 +164,7 @@ static int rmi_f03_config(struct rmi_function *fn)
>  static int rmi_f03_attention(struct rmi_function *fn, unsigned long *irq_bits)
>  {
>  	struct rmi_device *rmi_dev = fn->rmi_dev;
> -	struct rmi_driver_data *drvdata = dev_get_drvdata(&rmi_dev->dev);
> +	struct rmi_driver_data *drvdata;
>  	struct f03_data *f03 = dev_get_drvdata(&fn->dev);
>  	u16 data_addr = fn->fd.data_base_addr;
>  	const u8 ob_len = f03->rx_queue_length * RMI_F03_OB_SIZE;
> @@ -178,6 +178,7 @@ static int rmi_f03_attention(struct rmi_function *fn, unsigned long *irq_bits)
>  	if (!rmi_dev)
>  		return -ENODEV;
>  
> +	drvdata = dev_get_drvdata(&rmi_dev->dev);
>  	if (drvdata->attn_data.data) {
>  		/* First grab the data passed by the transport device */
>  		if (drvdata->attn_data.size < ob_len) {
> -- 
> 2.10.2
> 

Thanks.

-- 
Dmitry

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: [PATCH] input: synaptics-rmi4: check for null rmi_dev before it is dereferenced
  2016-12-20 21:22 ` Dmitry Torokhov
@ 2016-12-21 14:41   ` Colin Ian King
  0 siblings, 0 replies; 3+ messages in thread
From: Colin Ian King @ 2016-12-21 14:41 UTC (permalink / raw)
  To: Dmitry Torokhov
  Cc: Andrew Duggan, Benjamin Tissoires, Lyude Paul, Dennis Wassenberg,
	linux-input, linux-kernel

On 20/12/16 21:22, Dmitry Torokhov wrote:
> Hi Colin,
> 
> On Tue, Dec 20, 2016 at 10:07:50AM +0000, Colin King wrote:
>> From: Colin Ian King <colin.king@canonical.com>
>>
>> rmi_dev is currently being dereferenced before it null checked, so we
>> have a potential null pointer dereference issue with this.  Fix this
>> by dereferencing rmi_dev after a null check has been performed.
>>
>> Fixes CoverityScan CID 1391218 ("Dereference before null check")
> 
> I'd rather we removed the NULL check instead. As far as I can see it
> can't even be NULL.
> 
>>
>> Signed-off-by: Colin Ian King <colin.king@canonical.com>
>> ---
>>  drivers/input/rmi4/rmi_f03.c | 3 ++-
>>  1 file changed, 2 insertions(+), 1 deletion(-)
>>
>> diff --git a/drivers/input/rmi4/rmi_f03.c b/drivers/input/rmi4/rmi_f03.c
>> index 8a7ca3e..008f42a 100644
>> --- a/drivers/input/rmi4/rmi_f03.c
>> +++ b/drivers/input/rmi4/rmi_f03.c
>> @@ -164,7 +164,7 @@ static int rmi_f03_config(struct rmi_function *fn)
>>  static int rmi_f03_attention(struct rmi_function *fn, unsigned long *irq_bits)
>>  {
>>  	struct rmi_device *rmi_dev = fn->rmi_dev;
>> -	struct rmi_driver_data *drvdata = dev_get_drvdata(&rmi_dev->dev);
>> +	struct rmi_driver_data *drvdata;
>>  	struct f03_data *f03 = dev_get_drvdata(&fn->dev);
>>  	u16 data_addr = fn->fd.data_base_addr;
>>  	const u8 ob_len = f03->rx_queue_length * RMI_F03_OB_SIZE;
>> @@ -178,6 +178,7 @@ static int rmi_f03_attention(struct rmi_function *fn, unsigned long *irq_bits)
>>  	if (!rmi_dev)
>>  		return -ENODEV;
>>  
>> +	drvdata = dev_get_drvdata(&rmi_dev->dev);
>>  	if (drvdata->attn_data.data) {
>>  		/* First grab the data passed by the transport device */
>>  		if (drvdata->attn_data.size < ob_len) {
>> -- 
>> 2.10.2
>>
> 
> Thanks.
> 
Ignore this patch, correct fix just sent.

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2016-12-21 14:42 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-12-20 10:07 [PATCH] input: synaptics-rmi4: check for null rmi_dev before it is dereferenced Colin King
2016-12-20 21:22 ` Dmitry Torokhov
2016-12-21 14:41   ` Colin Ian King

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).