* [PATCH] input: synaptics-rmi4: check for null rmi_dev before it is dereferenced
@ 2016-12-20 10:07 Colin King
2016-12-20 21:22 ` Dmitry Torokhov
0 siblings, 1 reply; 3+ messages in thread
From: Colin King @ 2016-12-20 10:07 UTC (permalink / raw)
To: Dmitry Torokhov, Andrew Duggan, Benjamin Tissoires, Lyude Paul,
Dennis Wassenberg, linux-input
Cc: linux-kernel
From: Colin Ian King <colin.king@canonical.com>
rmi_dev is currently being dereferenced before it null checked, so we
have a potential null pointer dereference issue with this. Fix this
by dereferencing rmi_dev after a null check has been performed.
Fixes CoverityScan CID 1391218 ("Dereference before null check")
Signed-off-by: Colin Ian King <colin.king@canonical.com>
---
drivers/input/rmi4/rmi_f03.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/input/rmi4/rmi_f03.c b/drivers/input/rmi4/rmi_f03.c
index 8a7ca3e..008f42a 100644
--- a/drivers/input/rmi4/rmi_f03.c
+++ b/drivers/input/rmi4/rmi_f03.c
@@ -164,7 +164,7 @@ static int rmi_f03_config(struct rmi_function *fn)
static int rmi_f03_attention(struct rmi_function *fn, unsigned long *irq_bits)
{
struct rmi_device *rmi_dev = fn->rmi_dev;
- struct rmi_driver_data *drvdata = dev_get_drvdata(&rmi_dev->dev);
+ struct rmi_driver_data *drvdata;
struct f03_data *f03 = dev_get_drvdata(&fn->dev);
u16 data_addr = fn->fd.data_base_addr;
const u8 ob_len = f03->rx_queue_length * RMI_F03_OB_SIZE;
@@ -178,6 +178,7 @@ static int rmi_f03_attention(struct rmi_function *fn, unsigned long *irq_bits)
if (!rmi_dev)
return -ENODEV;
+ drvdata = dev_get_drvdata(&rmi_dev->dev);
if (drvdata->attn_data.data) {
/* First grab the data passed by the transport device */
if (drvdata->attn_data.size < ob_len) {
--
2.10.2
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH] input: synaptics-rmi4: check for null rmi_dev before it is dereferenced
2016-12-20 10:07 [PATCH] input: synaptics-rmi4: check for null rmi_dev before it is dereferenced Colin King
@ 2016-12-20 21:22 ` Dmitry Torokhov
2016-12-21 14:41 ` Colin Ian King
0 siblings, 1 reply; 3+ messages in thread
From: Dmitry Torokhov @ 2016-12-20 21:22 UTC (permalink / raw)
To: Colin King
Cc: Andrew Duggan, Benjamin Tissoires, Lyude Paul, Dennis Wassenberg,
linux-input, linux-kernel
Hi Colin,
On Tue, Dec 20, 2016 at 10:07:50AM +0000, Colin King wrote:
> From: Colin Ian King <colin.king@canonical.com>
>
> rmi_dev is currently being dereferenced before it null checked, so we
> have a potential null pointer dereference issue with this. Fix this
> by dereferencing rmi_dev after a null check has been performed.
>
> Fixes CoverityScan CID 1391218 ("Dereference before null check")
I'd rather we removed the NULL check instead. As far as I can see it
can't even be NULL.
>
> Signed-off-by: Colin Ian King <colin.king@canonical.com>
> ---
> drivers/input/rmi4/rmi_f03.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/input/rmi4/rmi_f03.c b/drivers/input/rmi4/rmi_f03.c
> index 8a7ca3e..008f42a 100644
> --- a/drivers/input/rmi4/rmi_f03.c
> +++ b/drivers/input/rmi4/rmi_f03.c
> @@ -164,7 +164,7 @@ static int rmi_f03_config(struct rmi_function *fn)
> static int rmi_f03_attention(struct rmi_function *fn, unsigned long *irq_bits)
> {
> struct rmi_device *rmi_dev = fn->rmi_dev;
> - struct rmi_driver_data *drvdata = dev_get_drvdata(&rmi_dev->dev);
> + struct rmi_driver_data *drvdata;
> struct f03_data *f03 = dev_get_drvdata(&fn->dev);
> u16 data_addr = fn->fd.data_base_addr;
> const u8 ob_len = f03->rx_queue_length * RMI_F03_OB_SIZE;
> @@ -178,6 +178,7 @@ static int rmi_f03_attention(struct rmi_function *fn, unsigned long *irq_bits)
> if (!rmi_dev)
> return -ENODEV;
>
> + drvdata = dev_get_drvdata(&rmi_dev->dev);
> if (drvdata->attn_data.data) {
> /* First grab the data passed by the transport device */
> if (drvdata->attn_data.size < ob_len) {
> --
> 2.10.2
>
Thanks.
--
Dmitry
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] input: synaptics-rmi4: check for null rmi_dev before it is dereferenced
2016-12-20 21:22 ` Dmitry Torokhov
@ 2016-12-21 14:41 ` Colin Ian King
0 siblings, 0 replies; 3+ messages in thread
From: Colin Ian King @ 2016-12-21 14:41 UTC (permalink / raw)
To: Dmitry Torokhov
Cc: Andrew Duggan, Benjamin Tissoires, Lyude Paul, Dennis Wassenberg,
linux-input, linux-kernel
On 20/12/16 21:22, Dmitry Torokhov wrote:
> Hi Colin,
>
> On Tue, Dec 20, 2016 at 10:07:50AM +0000, Colin King wrote:
>> From: Colin Ian King <colin.king@canonical.com>
>>
>> rmi_dev is currently being dereferenced before it null checked, so we
>> have a potential null pointer dereference issue with this. Fix this
>> by dereferencing rmi_dev after a null check has been performed.
>>
>> Fixes CoverityScan CID 1391218 ("Dereference before null check")
>
> I'd rather we removed the NULL check instead. As far as I can see it
> can't even be NULL.
>
>>
>> Signed-off-by: Colin Ian King <colin.king@canonical.com>
>> ---
>> drivers/input/rmi4/rmi_f03.c | 3 ++-
>> 1 file changed, 2 insertions(+), 1 deletion(-)
>>
>> diff --git a/drivers/input/rmi4/rmi_f03.c b/drivers/input/rmi4/rmi_f03.c
>> index 8a7ca3e..008f42a 100644
>> --- a/drivers/input/rmi4/rmi_f03.c
>> +++ b/drivers/input/rmi4/rmi_f03.c
>> @@ -164,7 +164,7 @@ static int rmi_f03_config(struct rmi_function *fn)
>> static int rmi_f03_attention(struct rmi_function *fn, unsigned long *irq_bits)
>> {
>> struct rmi_device *rmi_dev = fn->rmi_dev;
>> - struct rmi_driver_data *drvdata = dev_get_drvdata(&rmi_dev->dev);
>> + struct rmi_driver_data *drvdata;
>> struct f03_data *f03 = dev_get_drvdata(&fn->dev);
>> u16 data_addr = fn->fd.data_base_addr;
>> const u8 ob_len = f03->rx_queue_length * RMI_F03_OB_SIZE;
>> @@ -178,6 +178,7 @@ static int rmi_f03_attention(struct rmi_function *fn, unsigned long *irq_bits)
>> if (!rmi_dev)
>> return -ENODEV;
>>
>> + drvdata = dev_get_drvdata(&rmi_dev->dev);
>> if (drvdata->attn_data.data) {
>> /* First grab the data passed by the transport device */
>> if (drvdata->attn_data.size < ob_len) {
>> --
>> 2.10.2
>>
>
> Thanks.
>
Ignore this patch, correct fix just sent.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2016-12-21 14:42 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-12-20 10:07 [PATCH] input: synaptics-rmi4: check for null rmi_dev before it is dereferenced Colin King
2016-12-20 21:22 ` Dmitry Torokhov
2016-12-21 14:41 ` Colin Ian King
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).