From: Sasha Levin <sashal@kernel.org>
To: patches@lists.linux.dev, stable@vger.kernel.org
Cc: Chenyuan Yang <chenyuan0y@gmail.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Sasha Levin <sashal@kernel.org>,
richardcochran@gmail.com, netdev@vger.kernel.org
Subject: [PATCH AUTOSEL 6.6 11/18] misc: tps6594-pfsm: Add NULL pointer check in tps6594_pfsm_probe()
Date: Mon, 9 Jun 2025 09:46:45 -0400 [thread overview]
Message-ID: <20250609134652.1344323-11-sashal@kernel.org> (raw)
In-Reply-To: <20250609134652.1344323-1-sashal@kernel.org>
From: Chenyuan Yang <chenyuan0y@gmail.com>
[ Upstream commit a99b598d836c9c6411110c70a2da134c78d96e67 ]
The returned value, pfsm->miscdev.name, from devm_kasprintf()
could be NULL.
A pointer check is added to prevent potential NULL pointer dereference.
This is similar to the fix in commit 3027e7b15b02
("ice: Fix some null pointer dereference issues in ice_ptp.c").
This issue is found by our static analysis tool.
Signed-off-by: Chenyuan Yang <chenyuan0y@gmail.com>
Link: https://lore.kernel.org/r/20250311010511.1028269-1-chenyuan0y@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
**YES**
This commit should be backported to stable kernel trees. Here's my
detailed analysis:
## Analysis
### 1. Bug Fix Nature
This commit fixes a clear NULL pointer dereference vulnerability. The
`devm_kasprintf()` function can return NULL on memory allocation
failure, and the code was not checking this return value before using
`pfsm->miscdev.name`. This would lead to a NULL pointer dereference when
`misc_register(&pfsm->miscdev)` is called at line 302.
### 2. Code Analysis
Looking at the specific changes in `drivers/misc/tps6594-pfsm.c`:
**Before the fix (lines 282-283):**
```c
pfsm->miscdev.name = devm_kasprintf(dev, GFP_KERNEL, "pfsm-%ld-0x%02x",
tps->chip_id, tps->reg);
```
**After the fix (lines 282-286):**
```c
pfsm->miscdev.name = devm_kasprintf(dev, GFP_KERNEL, "pfsm-%ld-0x%02x",
tps->chip_id, tps->reg);
+if (!pfsm->miscdev.name)
+ return -ENOMEM;
```
The fix adds essential NULL pointer checking that prevents potential
kernel crashes.
### 3. Comparison with Similar Commits
This fix follows the exact same pattern as the reference commits marked
as "Backport Status: YES":
- **Similar Commit #1 (ipmi)**: Same issue with `devm_kasprintf()` not
being checked
- **Similar Commit #2 (mfd: tps6594)**: Same issue, even in the same
TPS6594 subsystem
- **Similar Commit #4 (ice)**: Same issue, explicitly referenced in the
commit message
All these similar commits were deemed suitable for backporting because
they fix the same fundamental issue.
### 4. Risk Assessment
- **Minimal risk**: The fix is a simple 2-line addition that only adds
error checking
- **No side effects**: The change doesn't alter functionality, only
prevents crashes
- **Contained scope**: Only affects the TPS6594 PFSM driver
initialization path
- **No architectural changes**: Doesn't modify any interfaces or major
logic
### 5. Stability Criteria Met
- ✅ **Important bug fix**: Prevents kernel NULL pointer dereference
crashes
- ✅ **Minimal and contained**: Only 2 lines added for error checking
- ✅ **Low regression risk**: Cannot introduce new issues, only prevents
crashes
- ✅ **Clear fix**: Addresses a well-defined problem with obvious
solution
### 6. Driver Context
The TPS6594 PFSM driver was introduced in kernel v6.10, making it a
relatively recent addition. The driver handles power management for TI
PMIC devices, making reliability crucial for system stability.
### 7. Static Analysis Tool Finding
The commit message mentions this was found by static analysis, which
indicates it's a real potential issue that could manifest under memory
pressure conditions.
This commit clearly meets all the criteria for stable tree backporting:
it's a small, contained fix for an important potential crash bug with
minimal risk of regression.
drivers/misc/tps6594-pfsm.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/misc/tps6594-pfsm.c b/drivers/misc/tps6594-pfsm.c
index 88dcac8148922..71fbe31542e56 100644
--- a/drivers/misc/tps6594-pfsm.c
+++ b/drivers/misc/tps6594-pfsm.c
@@ -260,6 +260,9 @@ static int tps6594_pfsm_probe(struct platform_device *pdev)
pfsm->miscdev.minor = MISC_DYNAMIC_MINOR;
pfsm->miscdev.name = devm_kasprintf(dev, GFP_KERNEL, "pfsm-%ld-0x%02x",
tps->chip_id, tps->reg);
+ if (!pfsm->miscdev.name)
+ return -ENOMEM;
+
pfsm->miscdev.fops = &tps6594_pfsm_fops;
pfsm->miscdev.parent = dev->parent;
--
2.39.5
next prev parent reply other threads:[~2025-06-09 13:47 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-06-09 13:46 [PATCH AUTOSEL 6.6 01/18] md/md-bitmap: fix dm-raid max_write_behind setting Sasha Levin
2025-06-09 13:46 ` [PATCH AUTOSEL 6.6 02/18] amd/amdkfd: fix a kfd_process ref leak Sasha Levin
2025-06-09 13:46 ` [PATCH AUTOSEL 6.6 03/18] bcache: fix NULL pointer in cache_set_flush() Sasha Levin
2025-06-09 13:46 ` [PATCH AUTOSEL 6.6 04/18] drm/scheduler: signal scheduled fence when kill job Sasha Levin
2025-06-09 13:46 ` [PATCH AUTOSEL 6.6 05/18] iio: pressure: zpa2326: Use aligned_s64 for the timestamp Sasha Levin
2025-06-09 13:46 ` [PATCH AUTOSEL 6.6 06/18] um: Add cmpxchg8b_emu and checksum functions to asm-prototypes.h Sasha Levin
2025-06-09 13:46 ` [PATCH AUTOSEL 6.6 07/18] um: use proper care when taking mmap lock during segfault Sasha Levin
2025-06-09 13:46 ` [PATCH AUTOSEL 6.6 08/18] coresight: Only check bottom two claim bits Sasha Levin
2025-06-09 13:46 ` [PATCH AUTOSEL 6.6 09/18] usb: dwc2: also exit clock_gating when stopping udc while suspended Sasha Levin
2025-06-09 13:46 ` [PATCH AUTOSEL 6.6 10/18] iio: adc: ad_sigma_delta: Fix use of uninitialized status_pos Sasha Levin
2025-06-09 13:46 ` Sasha Levin [this message]
2025-06-09 13:46 ` [PATCH AUTOSEL 6.6 12/18] usb: potential integer overflow in usbg_make_tpg() Sasha Levin
2025-06-09 13:46 ` [PATCH AUTOSEL 6.6 13/18] tty: serial: uartlite: register uart driver in init Sasha Levin
2025-06-09 13:46 ` [PATCH AUTOSEL 6.6 14/18] usb: common: usb-conn-gpio: use a unique name for usb connector device Sasha Levin
2025-06-09 13:46 ` [PATCH AUTOSEL 6.6 15/18] usb: Add checks for snprintf() calls in usb_alloc_dev() Sasha Levin
2025-06-09 13:46 ` [PATCH AUTOSEL 6.6 16/18] usb: cdc-wdm: avoid setting WDM_READ for ZLP-s Sasha Levin
2025-06-09 13:46 ` [PATCH AUTOSEL 6.6 17/18] usb: typec: displayport: Receive DP Status Update NAK request exit dp altmode Sasha Levin
2025-06-09 13:46 ` [PATCH AUTOSEL 6.6 18/18] usb: typec: mux: do not return on EOPNOTSUPP in {mux, switch}_set Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250609134652.1344323-11-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=chenyuan0y@gmail.com \
--cc=gregkh@linuxfoundation.org \
--cc=netdev@vger.kernel.org \
--cc=patches@lists.linux.dev \
--cc=richardcochran@gmail.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.