On Wed, Aug 11, 2021 at 07:15:15PM +0300, Nadezda Lutovinova wrote:
> If driver read tmp (or val) value sufficient for
> (tmp & 0x08) && (!(tmp & 0x80)) && ((tmp & 0x7) == ((tmp >> 4) & 0x7))
> from device then Null pointer dereference occurs.
> (It is possible if tmp = 0b0xyz1xyz, where same literals mean same numbers)
>
> The patch adds checking if data->lm75[0] is NULL.
>
> Found by Linux Driver Verification project (linuxtesting.org).
>
One patch per driver, please.
> Signed-off-by: Nadezda Lutovinova <lutovinova@xxxxxxxxx>
> ---
> drivers/hwmon/w83791d.c | 2 +-
> drivers/hwmon/w83792d.c | 2 +-
> drivers/hwmon/w83793.c | 2 +-
> 3 files changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/hwmon/w83791d.c b/drivers/hwmon/w83791d.c
> index 37b25a1474c4..8b30bbfafaa7 100644
> --- a/drivers/hwmon/w83791d.c
> +++ b/drivers/hwmon/w83791d.c
> @@ -1284,7 +1284,7 @@ static int w83791d_detect_subclients(struct i2c_client *client)
> data->lm75[0] = devm_i2c_new_dummy_device(&client->dev, adapter,
> 0x48 + (val & 0x7));
> if (!(val & 0x80)) {
> - if (!IS_ERR(data->lm75[0]) &&
> + if (!IS_ERR_OR_NULL(data->lm75[0]) &&
> ((val & 0x7) == ((val >> 4) & 0x7))) {
> dev_err(&client->dev,
> "duplicate addresses 0x%x, "
As you pointed out in te other e-mail, lm75[] does not really serve
a purpose anymore. It might be much better to replace this code with
something like
if (!(val & 0x88) && (val & 0x7) == ((val >> 4) & 0x7)) {
dev_err(&new_client->dev,
"duplicate addresses 0x%x, use force_subclient\n",
0x48 + (val & 0x7));
return -ENODEV;
}
Same for the other chips.
Guenter
> diff --git a/drivers/hwmon/w83792d.c b/drivers/hwmon/w83792d.c
> index abd5c3a722b9..85ae12d950e1 100644
> --- a/drivers/hwmon/w83792d.c
> +++ b/drivers/hwmon/w83792d.c
> @@ -950,7 +950,7 @@ w83792d_detect_subclients(struct i2c_client *new_client)
> data->lm75[0] = devm_i2c_new_dummy_device(&new_client->dev, adapter,
> 0x48 + (val & 0x7));
> if (!(val & 0x80)) {
> - if (!IS_ERR(data->lm75[0]) &&
> + if (!IS_ERR_OR_NULL(data->lm75[0]) &&
> ((val & 0x7) == ((val >> 4) & 0x7))) {
> dev_err(&new_client->dev,
> "duplicate addresses 0x%x, use force_subclient\n",
> diff --git a/drivers/hwmon/w83793.c b/drivers/hwmon/w83793.c
> index e7d0484eabe4..9d8c44e2fa6e 100644
> --- a/drivers/hwmon/w83793.c
> +++ b/drivers/hwmon/w83793.c
> @@ -1590,7 +1590,7 @@ w83793_detect_subclients(struct i2c_client *client)
> data->lm75[0] = devm_i2c_new_dummy_device(&client->dev, adapter,
> 0x48 + (tmp & 0x7));
> if (!(tmp & 0x80)) {
> - if (!IS_ERR(data->lm75[0])
> + if (!IS_ERR_OR_NULL(data->lm75[0])
> && ((tmp & 0x7) == ((tmp >> 4) & 0x7))) {
> dev_err(&client->dev,
> "duplicate addresses 0x%x, "
> --
> 2.17.1
>
