Re: [PATCH] iio: cm36651: Fix i2c client leak and possible NULL pointer dereference

[Krzysztof Kozlowski <k.kozlowski@samsung.com>]

Hi,

On Sat, 2014-03-15 at 16:24 +0000, Jonathan Cameron wrote:
> On 06/03/14 09:33, Krzysztof Kozlowski wrote:
> > During probe the driver allocates dummy I2C devices (i2c_new_dummy())
> > but they aren't unregistered during driver remove or probe failure.
> >
> > Additionally driver does not check the return value of i2c_new_dummy().
> > In case of error (i2c_new_device(): memory allocation failure or I2C
> > address cannot be used) this function returns NULL which is later
> > dereferenced by i2c_smbus_{read,write}_data() functions.
> >
> > Fix issues by properly checking for i2c_new_dummy() return value and
> > unregistering I2C devices on driver remove or probe failure.
> >
> > Signed-off-by: Krzysztof Kozlowski <k.kozlowski@samsung.com>
> Good catch, but the error path needs more care.
> > ---
> >   drivers/iio/light/cm36651.c |   12 ++++++++++++
> >   1 file changed, 12 insertions(+)
> >
> > diff --git a/drivers/iio/light/cm36651.c b/drivers/iio/light/cm36651.c
> > index a45e07492db3..e7e9a597159f 100644
> > --- a/drivers/iio/light/cm36651.c
> > +++ b/drivers/iio/light/cm36651.c
> > @@ -653,6 +653,11 @@ static int cm36651_probe(struct i2c_client *client,
> >   	cm36651->ps_client = i2c_new_dummy(client->adapter,
> >   						     CM36651_I2C_ADDR_PS);
> >   	cm36651->ara_client = i2c_new_dummy(client->adapter, CM36651_ARA);
> > +	if (!cm36651->ps_client || !cm36651->ara_client) {
> > +		dev_err(&client->dev, "%s: new i2c device failed\n", __func__);
> > +		ret = -ENODEV;
> > +		goto error_i2c_unregister;
> > +	}
> The two failures need to be handled independently as we only want to unregister
> those that succeeded.  i2c_new_dummy will not return an error and leave a device
> registered.  This is particularly true given the first thing that i2c_unregister_device
> does is to derefence the client pointer.  That will cause a segfault if you do it
> for NULL as here.
> 

Where the segfault would occur? If i2c_new_dummy fails then
i2c_unregister_device() will be called only on NON-null values:
	+error_i2c_unregister:
	+	if (cm36651->ps_client)
	+		i2c_unregister_device(cm36651->ps_client);
	+	if (cm36651->ara_client)
	+		i2c_unregister_device(cm36651->ara_client);

If probe() succeeds (both i2c_new_dummy return proper pointer) then
remove() will unregister two i2c devices.


> >   	mutex_init(&cm36651->lock);
> >   	indio_dev->dev.parent = &client->dev;
> >   	indio_dev->channels = cm36651_channels;
> > @@ -687,6 +692,11 @@ error_free_irq:
> >   	free_irq(client->irq, indio_dev);
> >   error_disable_reg:
> >   	regulator_disable(cm36651->vled_reg);
> > +error_i2c_unregister:
> > +	if (cm36651->ps_client)
> > +		i2c_unregister_device(cm36651->ps_client);
> > +	if (cm36651->ara_client)
> > +		i2c_unregister_device(cm36651->ara_client);
> >   	return ret;
> >   }
> >
> > @@ -698,6 +708,8 @@ static int cm36651_remove(struct i2c_client *client)
> >   	iio_device_unregister(indio_dev);
> >   	regulator_disable(cm36651->vled_reg);
> >   	free_irq(client->irq, indio_dev);
> > +	i2c_unregister_device(cm36651->ps_client);
> > +	i2c_unregister_device(cm36651->ara_client);
> Good catch.
> >
> >   	return 0;
> >   }
> >