[PATCH] i2c: cp2615: fix serial string NULL-deref at probe

[PATCH] i2c: cp2615: fix serial string NULL-deref at probe

[Johan Hovold]

The cp2615 driver uses the USB device serial string as the i2c adapter
name but does not make sure that the string exists.

Verify that the device has a serial number before accessing it to avoid
triggering a NULL-pointer dereference (e.g. with malicious devices).

Fixes: 4a7695429ead ("i2c: cp2615: add i2c driver for Silicon Labs' CP2615 Digital Audio Bridge")
Cc: stable@vger.kernel.org	# 5.13
Cc: Bence Csókás <bence98@sch.bme.hu>
Signed-off-by: Johan Hovold <johan@kernel.org>
---
 drivers/i2c/busses/i2c-cp2615.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/i2c/busses/i2c-cp2615.c b/drivers/i2c/busses/i2c-cp2615.c
index c1dbf7961a02..951de6249834 100644
--- a/drivers/i2c/busses/i2c-cp2615.c
+++ b/drivers/i2c/busses/i2c-cp2615.c
@@ -297,6 +297,9 @@ cp2615_i2c_probe(struct usb_interface *usbif, const struct usb_device_id *id)
 	if (!adap)
 		return -ENOMEM;
 
+	if (!usbdev->serial)
+		return -EINVAL;
+
 	strscpy(adap->name, usbdev->serial, sizeof(adap->name));
 	adap->owner = THIS_MODULE;
 	adap->dev.parent = &usbif->dev;
-- 
2.52.0

Re: [PATCH] i2c: cp2615: fix serial string NULL-deref at probe

[Bence Csókás]

Reviewed-by: Bence Csókás <bence98@sch.bme.hu>

On 3/9/26 08:50, Johan Hovold wrote:
> The cp2615 driver uses the USB device serial string as the i2c adapter
> name but does not make sure that the string exists.
> 
> Verify that the device has a serial number before accessing it to avoid
> triggering a NULL-pointer dereference (e.g. with malicious devices).
> 
> Fixes: 4a7695429ead ("i2c: cp2615: add i2c driver for Silicon Labs' CP2615 Digital Audio Bridge")
> Cc: stable@vger.kernel.org	# 5.13
> Cc: Bence Csókás <bence98@sch.bme.hu>
> Signed-off-by: Johan Hovold <johan@kernel.org>
> ---
>   drivers/i2c/busses/i2c-cp2615.c | 3 +++
>   1 file changed, 3 insertions(+)
> 
> diff --git a/drivers/i2c/busses/i2c-cp2615.c b/drivers/i2c/busses/i2c-cp2615.c
> index c1dbf7961a02..951de6249834 100644
> --- a/drivers/i2c/busses/i2c-cp2615.c
> +++ b/drivers/i2c/busses/i2c-cp2615.c
> @@ -297,6 +297,9 @@ cp2615_i2c_probe(struct usb_interface *usbif, const struct usb_device_id *id)
>   	if (!adap)
>   		return -ENOMEM;
>   
> +	if (!usbdev->serial)
> +		return -EINVAL;
> +
>   	strscpy(adap->name, usbdev->serial, sizeof(adap->name));
>   	adap->owner = THIS_MODULE;
>   	adap->dev.parent = &usbif->dev;

I didn't realize at the time I wrote this that `serial` can be NULL, I 
was under the impression that the USB core would pass me an empty string 
if there's no iSerial string descriptor (alas, it does not).
AFAIK real CP2615s will always have a serial, so returning error should 
not be a major problem. However, we could just as easily skip 
`strscpy()` and go on with the probe with an empty name. But I'm fine 
with either solution.

Bence

Re: [PATCH] i2c: cp2615: fix serial string NULL-deref at probe

[Johan Hovold]

On Wed, Mar 11, 2026 at 10:40:19PM +0100, Bence Csókás wrote:
> Reviewed-by: Bence Csókás <bence98@sch.bme.hu>
> 
> On 3/9/26 08:50, Johan Hovold wrote:
> > The cp2615 driver uses the USB device serial string as the i2c adapter
> > name but does not make sure that the string exists.
> > 
> > Verify that the device has a serial number before accessing it to avoid
> > triggering a NULL-pointer dereference (e.g. with malicious devices).

> > @@ -297,6 +297,9 @@ cp2615_i2c_probe(struct usb_interface *usbif, const struct usb_device_id *id)
> >   	if (!adap)
> >   		return -ENOMEM;
> >   
> > +	if (!usbdev->serial)
> > +		return -EINVAL;
> > +
> >   	strscpy(adap->name, usbdev->serial, sizeof(adap->name));
> >   	adap->owner = THIS_MODULE;
> >   	adap->dev.parent = &usbif->dev;

> AFAIK real CP2615s will always have a serial, so returning error should 
> not be a major problem.

That's my reasoning as well. In the unlikely event that there'll ever be
valid firmware without a serial string we can amend the driver.

Johan

Re: [PATCH] i2c: cp2615: fix serial string NULL-deref at probe

[Andi Shyti]

Hi Johan,

On Mon, Mar 09, 2026 at 08:50:16AM +0100, Johan Hovold wrote:
> The cp2615 driver uses the USB device serial string as the i2c adapter
> name but does not make sure that the string exists.
> 
> Verify that the device has a serial number before accessing it to avoid
> triggering a NULL-pointer dereference (e.g. with malicious devices).
> 
> Fixes: 4a7695429ead ("i2c: cp2615: add i2c driver for Silicon Labs' CP2615 Digital Audio Bridge")
> Cc: stable@vger.kernel.org	# 5.13
> Cc: Bence Csókás <bence98@sch.bme.hu>
> Signed-off-by: Johan Hovold <johan@kernel.org>

merged to i2c/i2c-host-fixes.

Thanks,
Andi