From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mail-wm1-f52.google.com (mail-wm1-f52.google.com [209.85.128.52])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 753BD4963B0
	for <linux-kernel@vger.kernel.org>; Wed,  6 May 2026 18:17:59 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.52
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1778091480; cv=none; b=L5yvTs2i2fSMdaA5cs7evTtIeXX65pO900DVKMbXmnjwKFqCTVcmYEWuBFitVKZ7bCTVdr7B2NgnG+H+L4ETfndYKwj3KsIdxUApceDojstDipom/lHUb4tULOLc408dg+St9A9pyrZclN7QpuOix+VIsxSV3JG+wLU5eh36+9Y=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1778091480; c=relaxed/simple;
	bh=1cEUccuIaYN5bQrCXhGfhVUn9cocPw1qLI2hboutuxY=;
	h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=ibrwEH8h30MaHtNCDOTS9Mydt/dOVMs7pOAYyPjHDmJkr1C2Yo8miVSLnk2qw8iIdN6Kbc4/hy9eOtnqNJiTicajo8++HDl/FBHL6E8MjF9D47+La0ZSFeALsSaG0kUqHxCxYWfx5dOwVXLKjNdt3/EiN3dWutXR2OrGlPSKutI=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=JDfwLcSI; arc=none smtp.client-ip=209.85.128.52
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="JDfwLcSI"
Received: by mail-wm1-f52.google.com with SMTP id 5b1f17b1804b1-48d10c981e4so1675e9.0
        for <linux-kernel@vger.kernel.org>; Wed, 06 May 2026 11:17:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1778091478; x=1778696278; darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=alBQD4+zkyoo/zjzqI3KZ1CunxpU4aeh/ZN+l8FJZo0=;
        b=JDfwLcSILSlZ1TMvMDmIUMxaGA+SaxD4829uBAJd8a0+RguOHpvK9xV4nBRdVw/kW7
         62HRab8bdMbnL7OpbuCKt7WHyKaUq2KVRupAjp+07NwQC2eVuJA0ZFtCliAfCk8CtPHL
         3Qv5H4d5nLgw09yNVNuA7JsJJ7Q1lcjZNBahwzlYG1kwUbQqh+fS4LZa6Op/8IYlrGIO
         /7t+4rAy/HY+cNoUjLttFfmK/mCa4pOoAj/q8ZMFkM3B74lrNikavvkc9nXqaVUb724M
         dvoyLXykSxeAvuWkwf+xWckx0VrcVQSQpqVW/mmCDuMKIGDI4QORzvy0p5Qk3f1hRK1j
         brcQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1778091478; x=1778696278;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=alBQD4+zkyoo/zjzqI3KZ1CunxpU4aeh/ZN+l8FJZo0=;
        b=VkXaQ7T4CceyaOBfQXRIxJh1LqSefCD0PnuTqyNrkm1zoUW97YtjgVpHzgRUXiHTt0
         3JYrNXBcZEEw0QX94fLkta8HV5tAluV7gBtID7owLJyFJWKjctzoFgAMx1PMwS9Cb1dB
         OdXP54aK6MOheyMDSz9DYeUyXxftw2sL4ZkIUMQQeElpbY+SeFaQN3xm9gG/MfTUE0ab
         Ox52PVjBn8WRYWKjjIJfx/0k98y5YdyZSUrcw040y3j8nBHpFiEFVAwt/7P5g2S1CveX
         jT7bIr8dW8s2LBAioP1v9loZFKUXk4rXZ1gQWVAbvE/NxV5DhVsC+E0lKMG3BTpYtE8e
         fcxQ==
X-Forwarded-Encrypted: i=1; AFNElJ/Cydnvq9ys8/a+MeRUWxYuydyINp1j7mRJhrWYPy/TONir6bYhuTVvNxgXK2h/4hqAwN+Z13RzcwmXcyU=@vger.kernel.org
X-Gm-Message-State: AOJu0Yx3Ry5JXVKqmMLU/Pv4zPMaOwF1744rpTteXpPeU9w+Q/RtBQiW
	wA/1HPDYAg8kj+S3xOvvS+h64YNaTHpwaEyc7uZUnfbgEohL8Yuqupge
X-Gm-Gg: AeBDieutPc+CWQwOqX9biYJsvvWrDPPkbofMtw0ii2baDx2QcFXeIWtsrb+fP1alE/L
	gOQvfV4iOkp6pLVD1MHss1ReTO6CKapa4w7UnWb8rXyA/uyOdWC5h5lI+ESZu1Rs26wkj2ABGKj
	3OanrC8PDKC6u8TB9Y8yJe1bXzz1Q2LkLW5wO1GgveL2+sPkeqadEunOC8GTyoGbHbb56JslwSw
	+Cr+8CqcsZlW3UmatlDRXGFskcHPjrbNdcO1HZnDQYarV++1nLs5I3JxBIsTMiBPnPMoAmjn55w
	FqKQE/rR2eSQLCHjUJGAZ4ckfu4bAE+ULUHzv4pBXkqaZmoI5sXJzLW9WqyzmOQ/OljmdrwhLGH
	C4bzomqjhdAtmNuAz39WPnK4+z0GbHZIVMI9qD6oN0/uPzSxGxnLtjA8a0n21TiejkNF2SfAskF
	zJeyVIqoRoTcvwLeF+o4ZnEmCT1zUceUheqwDAKq+lRymYf6XKBdCo
X-Received: by 2002:a05:600c:4588:b0:48a:5302:8ed9 with SMTP id 5b1f17b1804b1-48e52f1574emr35108735e9.0.1778091477633;
        Wed, 06 May 2026 11:17:57 -0700 (PDT)
Received: from LAPTOP-9UC0RPH4.localdomain ([82.215.118.79])
        by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-48e530b213asm22201595e9.2.2026.05.06.11.17.55
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 06 May 2026 11:17:57 -0700 (PDT)
From: Stepan Ionichev <sozdayvek@gmail.com>
To: tomasz.duszynski@octakon.com
Cc: jic23@kernel.org,
	dlechner@baylibre.com,
	nuno.sa@analog.com,
	andy@kernel.org,
	linux-iio@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	Stepan Ionichev <sozdayvek@gmail.com>
Subject: [PATCH] iio: chemical: scd30: avoid potential NULL deref in scd30_i2c_command()
Date: Wed,  6 May 2026 23:15:33 +0500
Message-ID: <20260506181533.409-1-sozdayvek@gmail.com>
X-Mailer: git-send-email 2.43.0
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

scd30_i2c_command() takes an opaque "response" buffer plus its size.
At the start of the function the code already checks if response is
NULL (via the rsp local), but the response-decoding loop after the
i2c transfer always dereferences rsp without re-checking.

With the current callers in scd30_core.c this is harmless, since
write commands pass response=NULL together with size=0 (so the loop
body is never entered). However, the inconsistency is an accident
waiting to happen if a future caller passes response=NULL together
with size > 0 -- the loop would then write through a NULL pointer.

smatch flags this:

  drivers/iio/chemical/scd30_i2c.c:104 scd30_i2c_command() error: we
    previously assumed rsp could be null (see line 77)

Bail out early when rsp is NULL so the function is robust regardless
of the (cmd, size) combination chosen by the caller.

No functional change for the existing callers.

Signed-off-by: Stepan Ionichev <sozdayvek@gmail.com>
---
 drivers/iio/chemical/scd30_i2c.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/iio/chemical/scd30_i2c.c b/drivers/iio/chemical/scd30_i2c.c
index 436df9c61..fb06bec75 100644
--- a/drivers/iio/chemical/scd30_i2c.c
+++ b/drivers/iio/chemical/scd30_i2c.c
@@ -93,6 +93,9 @@ static int scd30_i2c_command(struct scd30_state *state, enum scd30_cmd cmd, u16
 	if (ret)
 		return ret;
 
+	if (!rsp)
+		return 0;
+
 	/* validate received data and strip off crc bytes */
 	for (i = 0; i < size; i += 3) {
 		crc = crc8(scd30_i2c_crc8_tbl, buf + i, 2, CRC8_INIT_VALUE);
-- 
2.43.0