[PATCH] i2c: rcar: fix a possible NULL dereference

linux-i2c.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH] i2c: rcar: fix a possible NULL dereference
@ 2015-11-12  7:25 LABBE Corentin
  2015-11-12  7:44 ` Uwe Kleine-König
  0 siblings, 1 reply; 7+ messages in thread
From: LABBE Corentin @ 2015-11-12  7:25 UTC (permalink / raw)
  To: wsa; +Cc: LABBE Corentin, linux-i2c, linux-kernel

of_match_device could return NULL, and so cause a NULL pointer
dereference later.

Reported-by: coverity (CID 1130036)
Signed-off-by: LABBE Corentin <clabbe.montjoie@gmail.com>
---
 drivers/i2c/busses/i2c-rcar.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/drivers/i2c/busses/i2c-rcar.c b/drivers/i2c/busses/i2c-rcar.c
index b0ae560..d2bdbda 100644
--- a/drivers/i2c/busses/i2c-rcar.c
+++ b/drivers/i2c/busses/i2c-rcar.c
@@ -639,6 +639,7 @@ static int rcar_i2c_probe(struct platform_device *pdev)
 	struct device *dev = &pdev->dev;
 	u32 bus_speed;
 	int irq, ret;
+	const struct of_device_id *of_id;
 
 	priv = devm_kzalloc(dev, sizeof(struct rcar_i2c_priv), GFP_KERNEL);
 	if (!priv)
@@ -653,7 +654,10 @@ static int rcar_i2c_probe(struct platform_device *pdev)
 	bus_speed = 100000; /* default 100 kHz */
 	of_property_read_u32(dev->of_node, "clock-frequency", &bus_speed);
 
-	priv->devtype = (enum rcar_i2c_type)of_match_device(rcar_i2c_dt_ids, dev)->data;
+	of_id = of_match_device(rcar_i2c_dt_ids, dev);
+	if (!of_id)
+		return -ENODEV;
+	priv->devtype = (enum rcar_i2c_type)of_id->data;
 
 	ret = rcar_i2c_clock_calculate(priv, bus_speed, dev);
 	if (ret < 0)
-- 
2.4.10

^ permalink raw reply related	[flat|nested] 7+ messages in thread

* Re: [PATCH] i2c: rcar: fix a possible NULL dereference
  2015-11-12  7:25 [PATCH] i2c: rcar: fix a possible NULL dereference LABBE Corentin
@ 2015-11-12  7:44 ` Uwe Kleine-König
  2015-11-12  7:52   ` Wolfram Sang
  0 siblings, 1 reply; 7+ messages in thread
From: Uwe Kleine-König @ 2015-11-12  7:44 UTC (permalink / raw)
  To: LABBE Corentin; +Cc: wsa, linux-i2c, linux-kernel

Hello,

On Thu, Nov 12, 2015 at 08:25:09AM +0100, LABBE Corentin wrote:
> of_match_device could return NULL, and so cause a NULL pointer
> dereference later.
> 
> Reported-by: coverity (CID 1130036)
> Signed-off-by: LABBE Corentin <clabbe.montjoie@gmail.com>
> ---
>  drivers/i2c/busses/i2c-rcar.c | 6 +++++-
>  1 file changed, 5 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/i2c/busses/i2c-rcar.c b/drivers/i2c/busses/i2c-rcar.c
> index b0ae560..d2bdbda 100644
> --- a/drivers/i2c/busses/i2c-rcar.c
> +++ b/drivers/i2c/busses/i2c-rcar.c
> @@ -639,6 +639,7 @@ static int rcar_i2c_probe(struct platform_device *pdev)
>  	struct device *dev = &pdev->dev;
>  	u32 bus_speed;
>  	int irq, ret;
> +	const struct of_device_id *of_id;
>  
>  	priv = devm_kzalloc(dev, sizeof(struct rcar_i2c_priv), GFP_KERNEL);
>  	if (!priv)
> @@ -653,7 +654,10 @@ static int rcar_i2c_probe(struct platform_device *pdev)
>  	bus_speed = 100000; /* default 100 kHz */
>  	of_property_read_u32(dev->of_node, "clock-frequency", &bus_speed);
>  
> -	priv->devtype = (enum rcar_i2c_type)of_match_device(rcar_i2c_dt_ids, dev)->data;
> +	of_id = of_match_device(rcar_i2c_dt_ids, dev);
> +	if (!of_id)
> +		return -ENODEV;
> +	priv->devtype = (enum rcar_i2c_type)of_id->data;

This is nearly an open coding of of_device_get_match_data. Maybe using

	priv->devtype = (enum rcar_i2c_type)of_device_get_match_data(dev)

if good enough? 

Other than that, the NULL pointer dereference should only happen if the
device was bound using the driver name. That might be worth to point out
in the commit log. So maybe make (in a separate patch) the probe
function fail when probed by name?

Best regards
Uwe

-- 
Pengutronix e.K.                           | Uwe Kleine-König            |
Industrial Linux Solutions                 | http://www.pengutronix.de/  |

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [PATCH] i2c: rcar: fix a possible NULL dereference
  2015-11-12  7:44 ` Uwe Kleine-König
@ 2015-11-12  7:52   ` Wolfram Sang
  2015-11-12  8:09     ` Uwe Kleine-König
  0 siblings, 1 reply; 7+ messages in thread
From: Wolfram Sang @ 2015-11-12  7:52 UTC (permalink / raw)
  To: Uwe Kleine-König; +Cc: LABBE Corentin, linux-i2c, linux-kernel

[-- Attachment #1: Type: text/plain, Size: 1891 bytes --]

On Thu, Nov 12, 2015 at 08:44:47AM +0100, Uwe Kleine-König wrote:
> Hello,
> 
> On Thu, Nov 12, 2015 at 08:25:09AM +0100, LABBE Corentin wrote:
> > of_match_device could return NULL, and so cause a NULL pointer
> > dereference later.
> > 
> > Reported-by: coverity (CID 1130036)
> > Signed-off-by: LABBE Corentin <clabbe.montjoie@gmail.com>
> > ---
> >  drivers/i2c/busses/i2c-rcar.c | 6 +++++-
> >  1 file changed, 5 insertions(+), 1 deletion(-)
> > 
> > diff --git a/drivers/i2c/busses/i2c-rcar.c b/drivers/i2c/busses/i2c-rcar.c
> > index b0ae560..d2bdbda 100644
> > --- a/drivers/i2c/busses/i2c-rcar.c
> > +++ b/drivers/i2c/busses/i2c-rcar.c
> > @@ -639,6 +639,7 @@ static int rcar_i2c_probe(struct platform_device *pdev)
> >  	struct device *dev = &pdev->dev;
> >  	u32 bus_speed;
> >  	int irq, ret;
> > +	const struct of_device_id *of_id;
> >  
> >  	priv = devm_kzalloc(dev, sizeof(struct rcar_i2c_priv), GFP_KERNEL);
> >  	if (!priv)
> > @@ -653,7 +654,10 @@ static int rcar_i2c_probe(struct platform_device *pdev)
> >  	bus_speed = 100000; /* default 100 kHz */
> >  	of_property_read_u32(dev->of_node, "clock-frequency", &bus_speed);
> >  
> > -	priv->devtype = (enum rcar_i2c_type)of_match_device(rcar_i2c_dt_ids, dev)->data;
> > +	of_id = of_match_device(rcar_i2c_dt_ids, dev);
> > +	if (!of_id)
> > +		return -ENODEV;
> > +	priv->devtype = (enum rcar_i2c_type)of_id->data;
> 
> This is nearly an open coding of of_device_get_match_data. Maybe using
> 
> 	priv->devtype = (enum rcar_i2c_type)of_device_get_match_data(dev)
> 
> if good enough? 
> 
> Other than that, the NULL pointer dereference should only happen if the
> device was bound using the driver name. That might be worth to point out
> in the commit log. So maybe make (in a separate patch) the probe
> function fail when probed by name?

RCar is a DT only platform.


[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [PATCH] i2c: rcar: fix a possible NULL dereference
  2015-11-12  7:52   ` Wolfram Sang
@ 2015-11-12  8:09     ` Uwe Kleine-König
  2015-11-12  8:48       ` Wolfram Sang
  0 siblings, 1 reply; 7+ messages in thread
From: Uwe Kleine-König @ 2015-11-12  8:09 UTC (permalink / raw)
  To: Wolfram Sang; +Cc: LABBE Corentin, linux-i2c, linux-kernel

Hello Wolfram,

On Thu, Nov 12, 2015 at 08:52:38AM +0100, Wolfram Sang wrote:
> On Thu, Nov 12, 2015 at 08:44:47AM +0100, Uwe Kleine-König wrote:
> > Other than that, the NULL pointer dereference should only happen if the
> > device was bound using the driver name. That might be worth to point out
> > in the commit log. So maybe make (in a separate patch) the probe
> > function fail when probed by name?
> 
> RCar is a DT only platform.

Does this imply that no checking is needed? I'm not sure.

Best regards
Uwe

-- 
Pengutronix e.K.                           | Uwe Kleine-König            |
Industrial Linux Solutions                 | http://www.pengutronix.de/  |

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [PATCH] i2c: rcar: fix a possible NULL dereference
  2015-11-12  8:09     ` Uwe Kleine-König
@ 2015-11-12  8:48       ` Wolfram Sang
  2015-11-12  9:03         ` Uwe Kleine-König
  0 siblings, 1 reply; 7+ messages in thread
From: Wolfram Sang @ 2015-11-12  8:48 UTC (permalink / raw)
  To: Uwe Kleine-König; +Cc: LABBE Corentin, linux-i2c, linux-kernel

[-- Attachment #1: Type: text/plain, Size: 754 bytes --]

On Thu, Nov 12, 2015 at 09:09:26AM +0100, Uwe Kleine-König wrote:
> Hello Wolfram,
> 
> On Thu, Nov 12, 2015 at 08:52:38AM +0100, Wolfram Sang wrote:
> > On Thu, Nov 12, 2015 at 08:44:47AM +0100, Uwe Kleine-König wrote:
> > > Other than that, the NULL pointer dereference should only happen if the
> > > device was bound using the driver name. That might be worth to point out
> > > in the commit log. So maybe make (in a separate patch) the probe
> > > function fail when probed by name?
> > 
> > RCar is a DT only platform.
> 
> Does this imply that no checking is needed? I'm not sure.

I don't see how this driver could get probed otherwise. That being said,
for the "better safe than sorry" approach, I'd accept your suggestion.


[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [PATCH] i2c: rcar: fix a possible NULL dereference
  2015-11-12  8:48       ` Wolfram Sang
@ 2015-11-12  9:03         ` Uwe Kleine-König
  2015-11-12  9:14           ` Wolfram Sang
  0 siblings, 1 reply; 7+ messages in thread
From: Uwe Kleine-König @ 2015-11-12  9:03 UTC (permalink / raw)
  To: Wolfram Sang; +Cc: LABBE Corentin, linux-i2c, linux-kernel

On Thu, Nov 12, 2015 at 09:48:37AM +0100, Wolfram Sang wrote:
> On Thu, Nov 12, 2015 at 09:09:26AM +0100, Uwe Kleine-König wrote:
> > Hello Wolfram,
> > 
> > On Thu, Nov 12, 2015 at 08:52:38AM +0100, Wolfram Sang wrote:
> > > On Thu, Nov 12, 2015 at 08:44:47AM +0100, Uwe Kleine-König wrote:
> > > > Other than that, the NULL pointer dereference should only happen if the
> > > > device was bound using the driver name. That might be worth to point out
> > > > in the commit log. So maybe make (in a separate patch) the probe
> > > > function fail when probed by name?
> > > 
> > > RCar is a DT only platform.
> > 
> > Does this imply that no checking is needed? I'm not sure.
> 
> I don't see how this driver could get probed otherwise. That being said,
> for the "better safe than sorry" approach, I'd accept your suggestion.

Try adding the following to a device tree:

	i2c-rcar {

	}

This creates a platform device with name=i2c-rcar which makes
platform_match() yield a match for your driver.

(The other alternative is a device with this name created by a platform
file (even if this is not an rcar machine) doesn't trigger that problem
here I think, because there is a platform_device_id with a matching
name).

See also 

	http://article.gmane.org/gmane.linux.kernel/2083641

for a similar discussion.

Best regards
Uwe

-- 
Pengutronix e.K.                           | Uwe Kleine-König            |
Industrial Linux Solutions                 | http://www.pengutronix.de/  |

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [PATCH] i2c: rcar: fix a possible NULL dereference
  2015-11-12  9:03         ` Uwe Kleine-König
@ 2015-11-12  9:14           ` Wolfram Sang
  0 siblings, 0 replies; 7+ messages in thread
From: Wolfram Sang @ 2015-11-12  9:14 UTC (permalink / raw)
  To: Uwe Kleine-König; +Cc: LABBE Corentin, linux-i2c, linux-kernel

[-- Attachment #1: Type: text/plain, Size: 118 bytes --]

> Try adding the following to a device tree:
> 
> 	i2c-rcar {
> 
> 	}

"Better safe than sorry" won again ;)


[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, other threads:[~2015-11-12  9:14 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-11-12  7:25 [PATCH] i2c: rcar: fix a possible NULL dereference LABBE Corentin
2015-11-12  7:44 ` Uwe Kleine-König
2015-11-12  7:52   ` Wolfram Sang
2015-11-12  8:09     ` Uwe Kleine-König
2015-11-12  8:48       ` Wolfram Sang
2015-11-12  9:03         ` Uwe Kleine-König
2015-11-12  9:14           ` Wolfram Sang

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).