[mfd] question about potential null pointer dereference

[mfd] question about potential null pointer dereference

[Gustavo A. R. Silva]

Hello everybody,

While looking into Coverity ID 1408830 I ran into the following piece  
of code at drivers/mfd/wm831x-spi.c:26

  26static int wm831x_spi_probe(struct spi_device *spi)
  27{
  28        struct wm831x_pdata *pdata = dev_get_platdata(&spi->dev);
  29        const struct spi_device_id *id = spi_get_device_id(spi);
  30        const struct of_device_id *of_id;
  31        struct wm831x *wm831x;
  32        enum wm831x_parent type;
  33        int ret;
  34
  35        if (spi->dev.of_node) {
  36                of_id = of_match_device(wm831x_of_match, &spi->dev);
  37                type = (enum wm831x_parent)of_id->data;
  38        } else {
  39                type = (enum wm831x_parent)id->driver_data;
  40        }
  41
  42        wm831x = devm_kzalloc(&spi->dev, sizeof(struct wm831x),  
GFP_KERNEL);
  43        if (wm831x == NULL)
  44                return -ENOMEM;
  45
  46        spi->mode = SPI_MODE_0;
  47
  48        spi_set_drvdata(spi, wm831x);
  49        wm831x->dev = &spi->dev;
  50        wm831x->type = type;
  51
  52        wm831x->regmap = devm_regmap_init_spi(spi, &wm831x_regmap_config);
  53        if (IS_ERR(wm831x->regmap)) {
  54                ret = PTR_ERR(wm831x->regmap);
  55                dev_err(wm831x->dev, "Failed to allocate register  
map: %d\n",
  56                        ret);
  57                return ret;
  58        }
  59
  60        if (pdata)
  61                memcpy(&wm831x->pdata, pdata, sizeof(*pdata));
  62
  63        return wm831x_device_init(wm831x, spi->irq);
  64}

The issue here is that there is a potential NULL pointer dereference  
at line 37, in case function of_match_device() returns NULL.

Maybe a patch like the following could be applied in order to avoid  
any chance of a NULL pointer dereference:

index c332e28..7b227c9 100644
--- a/drivers/mfd/wm831x-spi.c
+++ b/drivers/mfd/wm831x-spi.c
@@ -34,6 +34,10 @@ static int wm831x_spi_probe(struct spi_device *spi)

         if (spi->dev.of_node) {
                 of_id = of_match_device(wm831x_of_match, &spi->dev);
+               if (!of_id) {
+                       dev_err(&spi->dev, "Failed to find matching id\n");
+                       return -EINVAL;
+               }
                 type = (enum wm831x_parent)of_id->data;
         } else {
                 type = (enum wm831x_parent)id->driver_data;

What do you think?

I'd really appreciate any comment on this.

Thank you!
--
Gustavo A. R. Silva

Re: [mfd] question about potential null pointer dereference

[Lee Jones]

On Tue, 23 May 2017, Gustavo A. R. Silva wrote:

> 
> Hello everybody,
> 
> While looking into Coverity ID 1408830 I ran into the following piece of
> code at drivers/mfd/wm831x-spi.c:26
> 
>  26static int wm831x_spi_probe(struct spi_device *spi)
>  27{
>  28        struct wm831x_pdata *pdata = dev_get_platdata(&spi->dev);
>  29        const struct spi_device_id *id = spi_get_device_id(spi);
>  30        const struct of_device_id *of_id;
>  31        struct wm831x *wm831x;
>  32        enum wm831x_parent type;
>  33        int ret;
>  34
>  35        if (spi->dev.of_node) {
>  36                of_id = of_match_device(wm831x_of_match, &spi->dev);
>  37                type = (enum wm831x_parent)of_id->data;
>  38        } else {
>  39                type = (enum wm831x_parent)id->driver_data;
>  40        }
>  41
>  42        wm831x = devm_kzalloc(&spi->dev, sizeof(struct wm831x),
> GFP_KERNEL);
>  43        if (wm831x == NULL)
>  44                return -ENOMEM;
>  45
>  46        spi->mode = SPI_MODE_0;
>  47
>  48        spi_set_drvdata(spi, wm831x);
>  49        wm831x->dev = &spi->dev;
>  50        wm831x->type = type;
>  51
>  52        wm831x->regmap = devm_regmap_init_spi(spi, &wm831x_regmap_config);
>  53        if (IS_ERR(wm831x->regmap)) {
>  54                ret = PTR_ERR(wm831x->regmap);
>  55                dev_err(wm831x->dev, "Failed to allocate register map:
> %d\n",
>  56                        ret);
>  57                return ret;
>  58        }
>  59
>  60        if (pdata)
>  61                memcpy(&wm831x->pdata, pdata, sizeof(*pdata));
>  62
>  63        return wm831x_device_init(wm831x, spi->irq);
>  64}
> 
> The issue here is that there is a potential NULL pointer dereference at line
> 37, in case function of_match_device() returns NULL.
> 
> Maybe a patch like the following could be applied in order to avoid any
> chance of a NULL pointer dereference:

I do not believe it's possible for of_match_device() to return NULL in
this case.

However, if you wanted to submit a patch checking for it, it would not
be rejected.

> index c332e28..7b227c9 100644
> --- a/drivers/mfd/wm831x-spi.c
> +++ b/drivers/mfd/wm831x-spi.c
> @@ -34,6 +34,10 @@ static int wm831x_spi_probe(struct spi_device *spi)
> 
>         if (spi->dev.of_node) {
>                 of_id = of_match_device(wm831x_of_match, &spi->dev);
> +               if (!of_id) {
> +                       dev_err(&spi->dev, "Failed to find matching id\n");

"Failed to match device"

> +                       return -EINVAL;

-ENODEV

>                 type = (enum wm831x_parent)of_id->data;
>         } else {
>                 type = (enum wm831x_parent)id->driver_data;
> 
> What do you think?
> 
> I'd really appreciate any comment on this.
> 
> Thank you!

-- 
Lee Jones
Linaro STMicroelectronics Landing Team Lead
Linaro.org │ Open source software for ARM SoCs
Follow Linaro: Facebook | Twitter | Blog

Re: [mfd] question about potential null pointer dereference

[Charles Keepax]

On Wed, May 24, 2017 at 08:22:58AM +0100, Lee Jones wrote:
> On Tue, 23 May 2017, Gustavo A. R. Silva wrote:
> > The issue here is that there is a potential NULL pointer dereference at line
> > 37, in case function of_match_device() returns NULL.
> > 
> > Maybe a patch like the following could be applied in order to avoid any
> > chance of a NULL pointer dereference:
> 
> I do not believe it's possible for of_match_device() to return NULL in
> this case.
> 
> However, if you wanted to submit a patch checking for it, it would not
> be rejected.

Personally I would prefer to have a NULL pointer check in there.

Thanks,
Charles

Re: [mfd] question about potential null pointer dereference

[Gustavo A. R. Silva]

Hi guys,

Quoting Charles Keepax <ckeepax@opensource.wolfsonmicro.com>:

> On Wed, May 24, 2017 at 08:22:58AM +0100, Lee Jones wrote:
>> On Tue, 23 May 2017, Gustavo A. R. Silva wrote:
>> > The issue here is that there is a potential NULL pointer  
>> dereference at line
>> > 37, in case function of_match_device() returns NULL.
>> >
>> > Maybe a patch like the following could be applied in order to avoid any
>> > chance of a NULL pointer dereference:
>>
>> I do not believe it's possible for of_match_device() to return NULL in
>> this case.
>>
>> However, if you wanted to submit a patch checking for it, it would not
>> be rejected.
>
> Personally I would prefer to have a NULL pointer check in there.
>

I'll send a patch shortly.

Thank you both.
--
Gustavo A. R. Silva

[PATCH] mfd: add null check before pointer dereference

[Gustavo A. R. Silva]

Add null check before dereferencing pointer of_id in order to avoid
a potential NULL pointer dereference.

Addresses-Coverity-ID: 1408830
Cc: Charles Keepax <ckeepax@opensource.wolfsonmicro.com>
Signed-off-by: Gustavo A. R. Silva <garsilva@embeddedor.com>
---
 drivers/mfd/wm831x-spi.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/drivers/mfd/wm831x-spi.c b/drivers/mfd/wm831x-spi.c
index c332e28..7b227c9 100644
--- a/drivers/mfd/wm831x-spi.c
+++ b/drivers/mfd/wm831x-spi.c
@@ -34,6 +34,10 @@ static int wm831x_spi_probe(struct spi_device *spi)
 
 	if (spi->dev.of_node) {
 		of_id = of_match_device(wm831x_of_match, &spi->dev);
+		if (!of_id) {
+			dev_err(&spi->dev, "Failed to find matching id\n");
+			return -EINVAL;
+		}
 		type = (enum wm831x_parent)of_id->data;
 	} else {
 		type = (enum wm831x_parent)id->driver_data;
-- 
2.5.0

Re: [PATCH] mfd: add null check before pointer dereference

[Charles Keepax]

On Wed, May 24, 2017 at 03:27:31AM -0500, Gustavo A. R. Silva wrote:
> Add null check before dereferencing pointer of_id in order to avoid
> a potential NULL pointer dereference.
> 
> Addresses-Coverity-ID: 1408830
> Cc: Charles Keepax <ckeepax@opensource.wolfsonmicro.com>
> Signed-off-by: Gustavo A. R. Silva <garsilva@embeddedor.com>
> ---

Acked-by: Charles Keepax <ckeepax@opensource.wolfsonmicro.com>

Looks good although is there not probably the same issue in
wm831x-i2c.c? Might be worth fixing up both of them.

Thanks,
Charles

Re: [PATCH] mfd: add null check before pointer dereference

[Lee Jones]

Please use the $SUBJECT line expected by the subsystem.

The following command can help with this:

  `git log --oneline -- <SUBSYSTEM>`

> Add null check before dereferencing pointer of_id in order to avoid
> a potential NULL pointer dereference.
> 
> Addresses-Coverity-ID: 1408830
> Cc: Charles Keepax <ckeepax@opensource.wolfsonmicro.com>
> Signed-off-by: Gustavo A. R. Silva <garsilva@embeddedor.com>
> ---
>  drivers/mfd/wm831x-spi.c | 4 ++++
>  1 file changed, 4 insertions(+)
> 
> diff --git a/drivers/mfd/wm831x-spi.c b/drivers/mfd/wm831x-spi.c
> index c332e28..7b227c9 100644
> --- a/drivers/mfd/wm831x-spi.c
> +++ b/drivers/mfd/wm831x-spi.c
> @@ -34,6 +34,10 @@ static int wm831x_spi_probe(struct spi_device *spi)
>  
>  	if (spi->dev.of_node) {
>  		of_id = of_match_device(wm831x_of_match, &spi->dev);
> +		if (!of_id) {
> +			dev_err(&spi->dev, "Failed to find matching id\n");
> +			return -EINVAL;
> +		}

I already mentioned why this isn't suitable.

Please see my pre-review.

>  		type = (enum wm831x_parent)of_id->data;
>  	} else {
>  		type = (enum wm831x_parent)id->driver_data;

-- 
Lee Jones
Linaro STMicroelectronics Landing Team Lead
Linaro.org │ Open source software for ARM SoCs
Follow Linaro: Facebook | Twitter | Blog

Re: [PATCH] mfd: add null check before pointer dereference

[Gustavo A. R. Silva]

Hi Lee,

Quoting Lee Jones <lee.jones@linaro.org>:

> Please use the $SUBJECT line expected by the subsystem.
>
> The following command can help with this:
>
>   `git log --oneline -- <SUBSYSTEM>`
>

I get it.

>> Add null check before dereferencing pointer of_id in order to avoid
>> a potential NULL pointer dereference.
>>
>> Addresses-Coverity-ID: 1408830
>> Cc: Charles Keepax <ckeepax@opensource.wolfsonmicro.com>
>> Signed-off-by: Gustavo A. R. Silva <garsilva@embeddedor.com>
>> ---
>>  drivers/mfd/wm831x-spi.c | 4 ++++
>>  1 file changed, 4 insertions(+)
>>
>> diff --git a/drivers/mfd/wm831x-spi.c b/drivers/mfd/wm831x-spi.c
>> index c332e28..7b227c9 100644
>> --- a/drivers/mfd/wm831x-spi.c
>> +++ b/drivers/mfd/wm831x-spi.c
>> @@ -34,6 +34,10 @@ static int wm831x_spi_probe(struct spi_device *spi)
>>
>>  	if (spi->dev.of_node) {
>>  		of_id = of_match_device(wm831x_of_match, &spi->dev);
>> +		if (!of_id) {
>> +			dev_err(&spi->dev, "Failed to find matching id\n");
>> +			return -EINVAL;
>> +		}
>
> I already mentioned why this isn't suitable.
>
> Please see my pre-review.
>

You are right. Let me fix that.

Thanks
--
Gustavo A. R. Silva

[PATCH v2] mfd: wm831x: add null check before pointer dereference

[Gustavo A. R. Silva]

Add NULL check before dereferencing pointer of_id in order to avoid
a potential NULL pointer dereference.

Addresses-Coverity-ID: 1408830
Cc: Lee Jones <lee.jones@linaro.org>
Cc: Charles Keepax <ckeepax@opensource.wolfsonmicro.com>
Signed-off-by: Gustavo A. R. Silva <garsilva@embeddedor.com>
---
Changes in v2:
 Update error log and return value.

 drivers/mfd/wm831x-spi.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/drivers/mfd/wm831x-spi.c b/drivers/mfd/wm831x-spi.c
index c332e28..018ce65 100644
--- a/drivers/mfd/wm831x-spi.c
+++ b/drivers/mfd/wm831x-spi.c
@@ -34,6 +34,10 @@ static int wm831x_spi_probe(struct spi_device *spi)
 
 	if (spi->dev.of_node) {
 		of_id = of_match_device(wm831x_of_match, &spi->dev);
+		if (!of_id) {
+			dev_err(&spi->dev, "Failed to match device\n");
+			return -ENODEV;
+		}
 		type = (enum wm831x_parent)of_id->data;
 	} else {
 		type = (enum wm831x_parent)id->driver_data;
-- 
2.5.0

Re: [PATCH v2] mfd: wm831x: add null check before pointer dereference

[Lee Jones]

On Wed, 24 May 2017, Gustavo A. R. Silva wrote:

> Add NULL check before dereferencing pointer of_id in order to avoid
> a potential NULL pointer dereference.
> 
> Addresses-Coverity-ID: 1408830
> Cc: Lee Jones <lee.jones@linaro.org>
> Cc: Charles Keepax <ckeepax@opensource.wolfsonmicro.com>
> Signed-off-by: Gustavo A. R. Silva <garsilva@embeddedor.com>
> ---
> Changes in v2:
>  Update error log and return value.
> 
>  drivers/mfd/wm831x-spi.c | 4 ++++
>  1 file changed, 4 insertions(+)

Applied, thanks.

> diff --git a/drivers/mfd/wm831x-spi.c b/drivers/mfd/wm831x-spi.c
> index c332e28..018ce65 100644
> --- a/drivers/mfd/wm831x-spi.c
> +++ b/drivers/mfd/wm831x-spi.c
> @@ -34,6 +34,10 @@ static int wm831x_spi_probe(struct spi_device *spi)
>  
>  	if (spi->dev.of_node) {
>  		of_id = of_match_device(wm831x_of_match, &spi->dev);
> +		if (!of_id) {
> +			dev_err(&spi->dev, "Failed to match device\n");
> +			return -ENODEV;
> +		}
>  		type = (enum wm831x_parent)of_id->data;
>  	} else {
>  		type = (enum wm831x_parent)id->driver_data;

-- 
Lee Jones
Linaro STMicroelectronics Landing Team Lead
Linaro.org │ Open source software for ARM SoCs
Follow Linaro: Facebook | Twitter | Blog