[PATCH] iio: accel: mma9551_core: Prevent uninitialized variable in mma9551_read_status_word()

[PATCH] iio: accel: mma9551_core: Prevent uninitialized variable in mma9551_read_status_word()

[Harshit Mogalapalli]

Smatch Warns: drivers/iio/accel/mma9551_core.c:357
	mma9551_read_status_word() error: uninitialized symbol 'v'.

When (offset >= 1 << 12) is true mma9551_transfer() will return -EINVAL
without 'v' being initialized, so check for the error and return.

Fixes: d5b97f5c7dfc ("iio: accel: mma9551: split driver to expose mma955x api")
Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
---
This is detected using static analysis with smatch, and could probably
be detected by syzkaller fuzzing in future.
---
 drivers/iio/accel/mma9551_core.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/drivers/iio/accel/mma9551_core.c b/drivers/iio/accel/mma9551_core.c
index 75eee7f7303a..b898f865fb87 100644
--- a/drivers/iio/accel/mma9551_core.c
+++ b/drivers/iio/accel/mma9551_core.c
@@ -357,9 +357,12 @@ int mma9551_read_status_word(struct i2c_client *client, u8 app_id,
 
 	ret = mma9551_transfer(client, app_id, MMA9551_CMD_READ_STATUS,
 			       reg, NULL, 0, (u8 *)&v, 2);
+	if (ret < 0)
+		return ret;
+
 	*val = be16_to_cpu(v);
 
-	return ret;
+	return 0;
 }
 EXPORT_SYMBOL_NS(mma9551_read_status_word, IIO_MMA9551);
 
-- 
2.38.1

Re: [PATCH] iio: accel: mma9551_core: Prevent uninitialized variable in mma9551_read_status_word()

[Jonathan Cameron]

On Thu, 26 Jan 2023 07:21:46 -0800
Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com> wrote:

> Smatch Warns: drivers/iio/accel/mma9551_core.c:357
> 	mma9551_read_status_word() error: uninitialized symbol 'v'.
> 
> When (offset >= 1 << 12) is true mma9551_transfer() will return -EINVAL
> without 'v' being initialized, so check for the error and return.
> 
> Fixes: d5b97f5c7dfc ("iio: accel: mma9551: split driver to expose mma955x api")
> Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>

Whilst inelegant, there isn't actually a bug here as such because the function
callers don't use the value.  Given the function is exported, it's not going to
be easy for static analysis to see that however and your patch is definitely an
improvement.

Hence applied, but with fixes tag dropped and a note added for information
of anyone considering backporting this.

Jonathan

> ---
> This is detected using static analysis with smatch, and could probably
> be detected by syzkaller fuzzing in future.
> ---
>  drivers/iio/accel/mma9551_core.c | 5 ++++-
>  1 file changed, 4 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/iio/accel/mma9551_core.c b/drivers/iio/accel/mma9551_core.c
> index 75eee7f7303a..b898f865fb87 100644
> --- a/drivers/iio/accel/mma9551_core.c
> +++ b/drivers/iio/accel/mma9551_core.c
> @@ -357,9 +357,12 @@ int mma9551_read_status_word(struct i2c_client *client, u8 app_id,
>  
>  	ret = mma9551_transfer(client, app_id, MMA9551_CMD_READ_STATUS,
>  			       reg, NULL, 0, (u8 *)&v, 2);
> +	if (ret < 0)
> +		return ret;
> +
>  	*val = be16_to_cpu(v);
>  
> -	return ret;
> +	return 0;
>  }
>  EXPORT_SYMBOL_NS(mma9551_read_status_word, IIO_MMA9551);
>