[PATCH] iio: adc: ad7192: fix null de-ref crash during probe

[PATCH] iio: adc: ad7192: fix null de-ref crash during probe

[Alexandru Ardelean]

When the 'spi_device_id' table was removed, it omitted to cleanup/fix the
assignment:
  'indio_dev->name = spi_get_device_id(spi)->name;'

After that patch 'spi_get_device_id(spi)' returns NULL, so this crashes
during probe with null de-ref.

This change assigns the 'compatible' string from the DT table, as the new
'indio_dev->name'. As such, the new device/part name now looks like
'adi,ad719x', and now has the vendor prefix.

Note that this change is not doing any NULL check to the return value of
'of_match_device()'. This shouldn't happen, and if it does it's likely a
framework error on the probe side.

Fixes 66614ab2be38: ("staging: iio: adc: ad7192: removed spi_device_id")
Signed-off-by: Alexandru Ardelean <alexandru.ardelean@analog.com>
---
 drivers/iio/adc/ad7192.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/drivers/iio/adc/ad7192.c b/drivers/iio/adc/ad7192.c
index 8ec28aa8fa8a..0039a45e1f33 100644
--- a/drivers/iio/adc/ad7192.c
+++ b/drivers/iio/adc/ad7192.c
@@ -888,6 +888,7 @@ MODULE_DEVICE_TABLE(of, ad7192_of_match);
 
 static int ad7192_probe(struct spi_device *spi)
 {
+	const struct of_device_id *of_id;
 	struct ad7192_state *st;
 	struct iio_dev *indio_dev;
 	int ret, voltage_uv = 0;
@@ -937,10 +938,12 @@ static int ad7192_probe(struct spi_device *spi)
 		goto error_disable_avdd;
 	}
 
+	of_id = of_match_device(ad7192_of_match, &spi->dev);
+
 	spi_set_drvdata(spi, indio_dev);
-	st->devid = (unsigned long)of_device_get_match_data(&spi->dev);
+	st->devid = (unsigned long)of_id->data;
 	indio_dev->dev.parent = &spi->dev;
-	indio_dev->name = spi_get_device_id(spi)->name;
+	indio_dev->name = of_id->compatible;
 	indio_dev->modes = INDIO_DIRECT_MODE;
 
 	ret = ad7192_channels_config(indio_dev);
-- 
2.17.1

[PATCH v2] iio: adc: ad7192: fix null pointer de-reference crash during probe

[Alexandru Ardelean]

When the 'spi_device_id' table was removed, it omitted to cleanup/fix the
assignment:
  'indio_dev->name = spi_get_device_id(spi)->name;'

After that patch 'spi_get_device_id(spi)' returns NULL, so this crashes
during probe with null de-ref.

This change assigns the 'compatible' string from the DT table, as the new
'indio_dev->name'. As such, the new device/part name now looks like
'adi,ad719x', and now has the vendor prefix.

Note that this change is not doing any NULL check to the return value of
'of_match_device()'. This shouldn't happen, and if it does it's likely a
framework error on the probe side.

Fixes: 66614ab2be38 ("staging: iio: adc: ad7192: removed spi_device_id")
Signed-off-by: Alexandru Ardelean <alexandru.ardelean@analog.com>
---

Changelog v1 -> v2:
* fix colon for Fixes tag
* updated commit title a bit; to make it longer

 drivers/iio/adc/ad7192.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/drivers/iio/adc/ad7192.c b/drivers/iio/adc/ad7192.c
index 8ec28aa8fa8a..0039a45e1f33 100644
--- a/drivers/iio/adc/ad7192.c
+++ b/drivers/iio/adc/ad7192.c
@@ -888,6 +888,7 @@ MODULE_DEVICE_TABLE(of, ad7192_of_match);
 
 static int ad7192_probe(struct spi_device *spi)
 {
+	const struct of_device_id *of_id;
 	struct ad7192_state *st;
 	struct iio_dev *indio_dev;
 	int ret, voltage_uv = 0;
@@ -937,10 +938,12 @@ static int ad7192_probe(struct spi_device *spi)
 		goto error_disable_avdd;
 	}
 
+	of_id = of_match_device(ad7192_of_match, &spi->dev);
+
 	spi_set_drvdata(spi, indio_dev);
-	st->devid = (unsigned long)of_device_get_match_data(&spi->dev);
+	st->devid = (unsigned long)of_id->data;
 	indio_dev->dev.parent = &spi->dev;
-	indio_dev->name = spi_get_device_id(spi)->name;
+	indio_dev->name = of_id->compatible;
 	indio_dev->modes = INDIO_DIRECT_MODE;
 
 	ret = ad7192_channels_config(indio_dev);
-- 
2.17.1

Re: [PATCH v2] iio: adc: ad7192: fix null pointer de-reference crash during probe

[Jonathan Cameron]

On Tue, 7 Apr 2020 09:33:10 +0300
Alexandru Ardelean <alexandru.ardelean@analog.com> wrote:

> When the 'spi_device_id' table was removed, it omitted to cleanup/fix the
> assignment:
>   'indio_dev->name = spi_get_device_id(spi)->name;'
> 
> After that patch 'spi_get_device_id(spi)' returns NULL, so this crashes
> during probe with null de-ref.
> 
> This change assigns the 'compatible' string from the DT table, as the new
> 'indio_dev->name'. As such, the new device/part name now looks like
> 'adi,ad719x', and now has the vendor prefix.
> 
> Note that this change is not doing any NULL check to the return value of
> 'of_match_device()'. This shouldn't happen, and if it does it's likely a
> framework error on the probe side.
> 
> Fixes: 66614ab2be38 ("staging: iio: adc: ad7192: removed spi_device_id")
> Signed-off-by: Alexandru Ardelean <alexandru.ardelean@analog.com>

Hmm. Returning the compatible isn't compatible with the ABI.

I think we will have to introduce a bit of indirection here to
allow for a 'chip info' type structure with the name and the magic ID value
that is currently in the data field of the of_device_id table.

That way we can have the name explicit.   Note I don't want to
mess around with stripping the prefix off the compatible as that sort of
thing is hard to read.

Jonathan

> ---
> 
> Changelog v1 -> v2:
> * fix colon for Fixes tag
> * updated commit title a bit; to make it longer
> 
>  drivers/iio/adc/ad7192.c | 7 +++++--
>  1 file changed, 5 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/iio/adc/ad7192.c b/drivers/iio/adc/ad7192.c
> index 8ec28aa8fa8a..0039a45e1f33 100644
> --- a/drivers/iio/adc/ad7192.c
> +++ b/drivers/iio/adc/ad7192.c
> @@ -888,6 +888,7 @@ MODULE_DEVICE_TABLE(of, ad7192_of_match);
>  
>  static int ad7192_probe(struct spi_device *spi)
>  {
> +	const struct of_device_id *of_id;
>  	struct ad7192_state *st;
>  	struct iio_dev *indio_dev;
>  	int ret, voltage_uv = 0;
> @@ -937,10 +938,12 @@ static int ad7192_probe(struct spi_device *spi)
>  		goto error_disable_avdd;
>  	}
>  
> +	of_id = of_match_device(ad7192_of_match, &spi->dev);
> +
>  	spi_set_drvdata(spi, indio_dev);
> -	st->devid = (unsigned long)of_device_get_match_data(&spi->dev);
> +	st->devid = (unsigned long)of_id->data;
>  	indio_dev->dev.parent = &spi->dev;
> -	indio_dev->name = spi_get_device_id(spi)->name;
> +	indio_dev->name = of_id->compatible;
>  	indio_dev->modes = INDIO_DIRECT_MODE;
>  
>  	ret = ad7192_channels_config(indio_dev);

Re: [PATCH v2] iio: adc: ad7192: fix null pointer de-reference crash during probe

[Ardelean, Alexandru]

On Sun, 2020-04-12 at 12:38 +0100, Jonathan Cameron wrote:
> [External]
> 
> On Tue, 7 Apr 2020 09:33:10 +0300
> Alexandru Ardelean <alexandru.ardelean@analog.com> wrote:
> 
> > When the 'spi_device_id' table was removed, it omitted to cleanup/fix the
> > assignment:
> >   'indio_dev->name = spi_get_device_id(spi)->name;'
> > 
> > After that patch 'spi_get_device_id(spi)' returns NULL, so this crashes
> > during probe with null de-ref.
> > 
> > This change assigns the 'compatible' string from the DT table, as the new
> > 'indio_dev->name'. As such, the new device/part name now looks like
> > 'adi,ad719x', and now has the vendor prefix.
> > 
> > Note that this change is not doing any NULL check to the return value of
> > 'of_match_device()'. This shouldn't happen, and if it does it's likely a
> > framework error on the probe side.
> > 
> > Fixes: 66614ab2be38 ("staging: iio: adc: ad7192: removed spi_device_id")
> > Signed-off-by: Alexandru Ardelean <alexandru.ardelean@analog.com>
> 
> Hmm. Returning the compatible isn't compatible with the ABI.

i was a bit vague on whether part-name can contain vendor prefix [in terms of
ABI];
chances are really low that a part-name from vendor A could collide with part-
name from a vendor B

> 
> I think we will have to introduce a bit of indirection here to
> allow for a 'chip info' type structure with the name and the magic ID value
> that is currently in the data field of the of_device_id table.

i'll do that for V2

> 
> That way we can have the name explicit.   Note I don't want to
> mess around with stripping the prefix off the compatible as that sort of
> thing is hard to read.
> 
> Jonathan
> 
> > ---
> > 
> > Changelog v1 -> v2:
> > * fix colon for Fixes tag
> > * updated commit title a bit; to make it longer
> > 
> >  drivers/iio/adc/ad7192.c | 7 +++++--
> >  1 file changed, 5 insertions(+), 2 deletions(-)
> > 
> > diff --git a/drivers/iio/adc/ad7192.c b/drivers/iio/adc/ad7192.c
> > index 8ec28aa8fa8a..0039a45e1f33 100644
> > --- a/drivers/iio/adc/ad7192.c
> > +++ b/drivers/iio/adc/ad7192.c
> > @@ -888,6 +888,7 @@ MODULE_DEVICE_TABLE(of, ad7192_of_match);
> >  
> >  static int ad7192_probe(struct spi_device *spi)
> >  {
> > +	const struct of_device_id *of_id;
> >  	struct ad7192_state *st;
> >  	struct iio_dev *indio_dev;
> >  	int ret, voltage_uv = 0;
> > @@ -937,10 +938,12 @@ static int ad7192_probe(struct spi_device *spi)
> >  		goto error_disable_avdd;
> >  	}
> >  
> > +	of_id = of_match_device(ad7192_of_match, &spi->dev);
> > +
> >  	spi_set_drvdata(spi, indio_dev);
> > -	st->devid = (unsigned long)of_device_get_match_data(&spi->dev);
> > +	st->devid = (unsigned long)of_id->data;
> >  	indio_dev->dev.parent = &spi->dev;
> > -	indio_dev->name = spi_get_device_id(spi)->name;
> > +	indio_dev->name = of_id->compatible;
> >  	indio_dev->modes = INDIO_DIRECT_MODE;
> >  
> >  	ret = ad7192_channels_config(indio_dev);

Re: [PATCH] iio: adc: ad7192: fix null de-ref crash during probe

[Ardelean, Alexandru]

On Mon, 2020-04-06 at 21:46 +0200, Markus Elfring wrote:
> > After that patch 'spi_get_device_id(spi)' returns NULL, so this crashes
> > during probe with null de-ref.
> 
> How do you think about to use the term “null pointer dereference”
> in the commit message?

depends how long the commit title with be
will take a look

> 
> 
> > Fixes 66614ab2be38: ("staging: iio: adc: ad7192: removed spi_device_id")
> 
> Please correct this tag.
> https://urldefense.com/v3/__https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/process/submitting-patches.rst?id=7e63420847ae5f1036e4f7c42f0b3282e73efbc2*n183__;Iw!!A3Ni8CS0y2Y!uk9bOaD_449N0PxwtQ_WikWYY5KnpykeZTp-rbrRTju7FZM6fPd48zCD1pe7rTSYypKYkg$ 
> 
> Why was a colon misplaced here?

will fix
thanks

> 
> Regards,
> Markus

Re: [PATCH] iio: adc: ad7192: fix null de-ref crash during probe

[Markus Elfring]

> After that patch 'spi_get_device_id(spi)' returns NULL, so this crashes
> during probe with null de-ref.

How do you think about to use the term “null pointer dereference”
in the commit message?


> Fixes 66614ab2be38: ("staging: iio: adc: ad7192: removed spi_device_id")

Please correct this tag.
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/process/submitting-patches.rst?id=7e63420847ae5f1036e4f7c42f0b3282e73efbc2#n183

Why was a colon misplaced here?

Regards,
Markus