From: Andy Shevchenko <andriy.shevchenko@intel.com>
To: Stepan Ionichev <sozdayvek@gmail.com>
Cc: jic23@kernel.org, m32285159@gmail.com, dlechner@baylibre.com,
nuno.sa@analog.com, andy@kernel.org, linux-iio@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH v2] iio: chemical: scd30: reject (response=NULL, size>0) in scd30_i2c_command()
Date: Fri, 8 May 2026 10:36:09 +0300 [thread overview]
Message-ID: <af2SaesfmLw-AG0d@ashevche-desk.local> (raw)
In-Reply-To: <20260507152800.9062-1-sozdayvek@gmail.com>
On Thu, May 07, 2026 at 08:28:00PM +0500, Stepan Ionichev wrote:
> scd30_i2c_command() takes an opaque "response" buffer plus its size.
> At the start of the function the code already checks if response is
> NULL (via the rsp local), but the response-decoding loop after the
> i2c transfer always dereferences rsp without re-checking. With the
> current callers in scd30_core.c this is harmless, since write
> commands pass response=NULL together with size=0 (so the loop body
> is never entered).
>
> The (response=NULL, size>0) combination has no useful meaning: there
> is nowhere to put the bytes that come back from the chip. Treat it
> as an invalid argument and bail out at the top of the function with
> -EINVAL, instead of silently doing the i2c transfer and dereferencing
> a NULL pointer in the decode loop.
>
> smatch flagged the inconsistency:
>
> drivers/iio/chemical/scd30_i2c.c:104 scd30_i2c_command() error: we
> previously assumed rsp could be null (see line 77)
>
> No functional change for the existing callers, which only ever use
> (response=NULL, size=0) for writes and (response!=NULL, size>0) for
> reads.
Is this analysis AI assisted?
> Signed-off-by: Stepan Ionichev <sozdayvek@gmail.com>
> ---
> v2:
> - Move the check to the top of the function and return -EINVAL on
> the (response=NULL, size>0) combination, as suggested by Jonathan
> Cameron. Drop the v1 "if (!rsp) return 0" deeper in the function.
Do not reply to the same email thread with a new patch version.
...
Code wise LGTM, thanks.
Reviewed-by: Andy Shevchenko <andriy.shevchenko@intel.com>
--
With Best Regards,
Andy Shevchenko
next prev parent reply other threads:[~2026-05-08 7:36 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-06 18:15 [PATCH] iio: chemical: scd30: avoid potential NULL deref in scd30_i2c_command() Stepan Ionichev
2026-05-07 15:28 ` [PATCH v2] iio: chemical: scd30: reject (response=NULL, size>0) " Stepan Ionichev
2026-05-08 7:36 ` Andy Shevchenko [this message]
2026-05-08 7:29 ` Stepan Ionichev
2026-05-08 16:02 ` Maxwell Doose
2026-05-08 18:16 ` Stepan Ionichev
2026-05-08 19:50 ` Maxwell Doose
2026-05-11 11:51 ` Jonathan Cameron
2026-05-07 16:18 ` [PATCH] iio: chemical: scd30: avoid potential NULL deref " Jonathan Cameron
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=af2SaesfmLw-AG0d@ashevche-desk.local \
--to=andriy.shevchenko@intel.com \
--cc=andy@kernel.org \
--cc=dlechner@baylibre.com \
--cc=jic23@kernel.org \
--cc=linux-iio@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=m32285159@gmail.com \
--cc=nuno.sa@analog.com \
--cc=sozdayvek@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.