From: sashiko-bot@kernel.org
To: guoqi0226 <guoqi0226@163.com>
Cc: "Marc Kleine-Budde" <mkl@pengutronix.de>,
"Oliver Hartkopp" <socketcan@hartkopp.net>,
"Vincent Mailhol" <mailhol@kernel.org>,
"Oleksij Rempel" <o.rempel@pengutronix.de>,
linux-can@vger.kernel.org
Subject: Re: [PATCH v4 2/2] spi: Add NULL check for spi_get_device_id() in spi_get_device_match_data()
Date: Tue, 16 Jun 2026 10:45:11 +0000 [thread overview]
Message-ID: <20260616104511.DD9CC1F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260616103018.105612-3-guoqi0226@163.com>
Thank you for your contribution! Sashiko AI review found 3 potential issue(s) to consider:
Pre-existing issues:
- [High] spi_get_device_id() unconditionally dereferences a potentially NULL id_table pointer
- [High] Direct callers of spi_get_device_id() unconditionally dereference its result
- [High] Callers of the patched spi_get_device_match_data() unconditionally dereference its NULL return value
--
commit 7e155f379f89eda6ab91795ac56410fd02c722be
Author: guoqi0226 <guoqi0226@163.com>
spi: Add NULL check for spi_get_device_id() in spi_get_device_match_data()
Prevent NULL pointer dereference when spi_get_device_id() returns NULL,
which can happen when using driver_override without matching SPI ID entry.
> diff --git a/drivers/spi/spi.c b/drivers/spi/spi.c
> index 104279858f567..079ac01a2229d 100644
> --- a/drivers/spi/spi.c
> +++ b/drivers/spi/spi.c
> @@ -355,12 +355,16 @@ EXPORT_SYMBOL_GPL(spi_get_device_id);
> const void *spi_get_device_match_data(const struct spi_device *sdev)
> {
> const void *match;
> + const struct spi_device_id *id;
>
> match = device_get_match_data(&sdev->dev);
> if (match)
> return match;
>
> - return (const void *)spi_get_device_id(sdev)->driver_data;
> + id = spi_get_device_id(sdev);
[Severity: High]
This is a pre-existing issue, but can spi_get_device_id() itself crash
if sdrv->id_table is NULL?
If a spi driver only provides a device tree or acpi match table and lacks
an id_table, sdrv->id_table will evaluate to NULL. When spi_get_device_id()
is called, it passes this NULL pointer to spi_match_id():
drivers/spi/spi.c:spi_get_device_id() {
...
return spi_match_id(sdrv->id_table, sdev->modalias);
}
spi_match_id() then unconditionally evaluates id->name[0] in its while loop:
drivers/spi/spi.c:spi_match_id() {
...
while (id->name[0]) {
...
}
Would this result in a NULL pointer dereference when driver_override is used?
[Severity: High]
This is also a pre-existing issue, but do many direct callers of
spi_get_device_id() unconditionally dereference its result?
For example, in drivers/iio/adc/max1118.c:max1118_probe():
indio_dev->name = spi_get_device_id(spi)->name;
If driver_override is used to force a bind to a device whose modalias
does not match the driver's id_table, spi_get_device_id() can return NULL.
Does this mean individual spi drivers might immediately crash if they
don't check the return value?
> + if (!id)
> + return NULL;
[Severity: High]
This isn't a bug introduced by this patch, but will returning NULL here just
shift the crash to callers that don't check the return value?
For example, in drivers/gpu/drm/tiny/sharp-memory.c:sharp_memory_probe():
smd->mode = spi_get_device_match_data(spi);
...
smd->pitch = (SHARP_ADDR_PERIOD + smd->mode->hdisplay + ...) / 8;
If spi_get_device_match_data() returns NULL when driver_override is used,
will callers unconditionally dereference it and still cause a kernel panic?
> + return (const void *)id->driver_data;
> }
> EXPORT_SYMBOL_GPL(spi_get_device_match_data);
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260616103018.105612-1-guoqi0226@163.com?part=2
next prev parent reply other threads:[~2026-06-16 10:45 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20260616031332.0F34C1F000E9@smtp.kernel.org 20260616-teal-wrasse-of-conversion-348af0-mkl@pengutronix.de>
2026-06-16 8:53 ` [PATCH v2 0/1] can: mcp251x: Add ACPI device ID table for MCP2515 guoqi0226
2026-06-16 8:53 ` [PATCH v2] can: mcp251xfd: Add ACPI device ID table for MCP251XFD guoqi0226
2026-06-16 9:07 ` sashiko-bot
2026-06-16 9:16 ` [PATCH v3 0/1] " guoqi0226
2026-06-16 9:16 ` [PATCH v3 1/1] " guoqi0226
2026-06-16 9:26 ` sashiko-bot
2026-06-16 10:30 ` [PATCH v4 0/2] " guoqi0226
2026-06-16 10:30 ` [PATCH v4 1/2] can: mcp251xfd: mcp251xfd: Cache and validate match data pointer in probe guoqi0226
2026-06-16 10:30 ` [PATCH v4 2/2] spi: Add NULL check for spi_get_device_id() in spi_get_device_match_data() guoqi0226
2026-06-16 10:45 ` sashiko-bot [this message]
2026-06-16 10:35 ` [PATCH v4 0/2] can: mcp251xfd: Add ACPI device ID table for MCP251XFD Mark Brown
[not found] ` <15819af8.9491.19ed00ac23e.Coremail.guoqi0226@163.com>
2026-06-16 10:51 ` Mark Brown
2026-06-16 10:52 ` guoqi0226
2026-06-16 11:33 ` (subset) " Mark Brown
2026-06-16 9:45 ` [PATCH v2 0/1] can: mcp251x: Add ACPI device ID table for MCP2515 Marc Kleine-Budde
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260616104511.DD9CC1F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=guoqi0226@163.com \
--cc=linux-can@vger.kernel.org \
--cc=mailhol@kernel.org \
--cc=mkl@pengutronix.de \
--cc=o.rempel@pengutronix.de \
--cc=sashiko-reviews@lists.linux.dev \
--cc=socketcan@hartkopp.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox