From: Sean Young <sean@mess.org>
To: Wolfram Sang <wsa+renesas@sang-engineering.com>
Cc: linux-i2c@vger.kernel.org,
Mauro Carvalho Chehab <mchehab@kernel.org>,
linux-media@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH 1/2] media: ir-kbd-i2c: prevent potential NULL pointer access
Date: Thu, 25 Jul 2019 06:12:02 +0100 [thread overview]
Message-ID: <20190725051202.o47mz4unbn63z6uk@gofer.mess.org> (raw)
In-Reply-To: <20190722172632.4402-2-wsa+renesas@sang-engineering.com>
On Mon, Jul 22, 2019 at 07:26:31PM +0200, Wolfram Sang wrote:
> i2c_new_dummy() can fail returning a NULL pointer. The code does not
> bail out in this case and the returned pointer is blindly used.
I don't see how. The existing code tries to set up the tx part; if
i2c_new_dummy() return NULL then the rcdev is registered without tx,
and tx_c is never used.
> Convert
> to devm_i2c_new_dummy_device() which returns an ERR_PTR and also bail
> out when failing the validity check.
Possibly I was being overly cautious with not bailing out if tx can't
be registered; moving to devm is probably a good idea. However the
commit message is misleading, because the existing code has no
NULL pointer access.
Sean
>
> Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
> ---
> drivers/media/i2c/ir-kbd-i2c.c | 13 +++++--------
> 1 file changed, 5 insertions(+), 8 deletions(-)
>
> diff --git a/drivers/media/i2c/ir-kbd-i2c.c b/drivers/media/i2c/ir-kbd-i2c.c
> index 876d7587a1da..f46717052efc 100644
> --- a/drivers/media/i2c/ir-kbd-i2c.c
> +++ b/drivers/media/i2c/ir-kbd-i2c.c
> @@ -885,9 +885,12 @@ static int ir_probe(struct i2c_client *client, const struct i2c_device_id *id)
> INIT_DELAYED_WORK(&ir->work, ir_work);
>
> if (probe_tx) {
> - ir->tx_c = i2c_new_dummy(client->adapter, 0x70);
> - if (!ir->tx_c) {
> + ir->tx_c = devm_i2c_new_dummy_device(&client->dev,
> + client->adapter, 0x70);
> + if (IS_ERR(ir->tx_c)) {
> dev_err(&client->dev, "failed to setup tx i2c address");
> + err = PTR_ERR(ir->tx_c);
> + goto err_out_free;
> } else if (!zilog_init(ir)) {
> ir->carrier = 38000;
> ir->duty_cycle = 40;
> @@ -904,9 +907,6 @@ static int ir_probe(struct i2c_client *client, const struct i2c_device_id *id)
> return 0;
>
> err_out_free:
> - if (ir->tx_c)
> - i2c_unregister_device(ir->tx_c);
> -
> /* Only frees rc if it were allocated internally */
> rc_free_device(rc);
> return err;
> @@ -919,9 +919,6 @@ static int ir_remove(struct i2c_client *client)
> /* kill outstanding polls */
> cancel_delayed_work_sync(&ir->work);
>
> - if (ir->tx_c)
> - i2c_unregister_device(ir->tx_c);
> -
> /* unregister device */
> rc_unregister_device(ir->rc);
>
> --
> 2.20.1
next prev parent reply other threads:[~2019-07-25 5:12 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-07-22 17:26 [PATCH 0/2] media: ir-kbd-i2c: fix potential OOPS & minor cleanup Wolfram Sang
2019-07-22 17:26 ` [PATCH 1/2] media: ir-kbd-i2c: prevent potential NULL pointer access Wolfram Sang
2019-07-25 5:12 ` Sean Young [this message]
2019-07-25 7:55 ` Wolfram Sang
2019-07-25 10:44 ` Sean Young
2019-07-22 17:26 ` [PATCH 2/2] media: ir-kbd-i2c: remove outdated comments Wolfram Sang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190725051202.o47mz4unbn63z6uk@gofer.mess.org \
--to=sean@mess.org \
--cc=linux-i2c@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-media@vger.kernel.org \
--cc=mchehab@kernel.org \
--cc=wsa+renesas@sang-engineering.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox