On Tue, 12 Oct 2021 14:36:24 +0800 Yang Yingliang <yangyingliang@xxxxxxxxxx> wrote: > I got a null-ptr-deref report when doing fault injection test: > > BUG: kernel NULL pointer dereference, address: 0000000000000000 > RIP: 0010:strlen+0x0/0x20 > Call Trace: > start_creating+0x199/0x2f0 > debugfs_create_dir+0x25/0x430 > __iio_device_register+0x4da/0x1b40 [industrialio] > __devm_iio_device_register+0x22/0x80 [industrialio] > max1027_probe+0x639/0x860 [max1027] > spi_probe+0x183/0x210 > really_probe+0x285/0xc30 > > If dev_set_name() fails, the dev_name() is null, check the return > value of dev_set_name() to avoid the null-ptr-deref. > > Reported-by: Hulk Robot <hulkci@xxxxxxxxxx> > Fixes: e553f182d55b ("staging: iio: core: Introduce debugfs support...") > Signed-off-by: Yang Yingliang <yangyingliang@xxxxxxxxxx> Hi Yang Yingliang, I've been delaying replying to these for a few days because you have identified a more significant issue whilst working in this area and I wanted to take a deeper look at it. After we call device_initialize() a few lines above this all the cleanup on error should be done via a put_device() call, not by cleaning it up manually. However, that's clearly a much more substantial change so I'm going to apply this for now and deal with that cleanup at a later date. Thanks, Jonathan > --- > drivers/iio/industrialio-core.c | 8 +++++++- > 1 file changed, 7 insertions(+), 1 deletion(-) > > diff --git a/drivers/iio/industrialio-core.c b/drivers/iio/industrialio-core.c > index 2dc837db50f7..3e1e86d987cc 100644 > --- a/drivers/iio/industrialio-core.c > +++ b/drivers/iio/industrialio-core.c > @@ -1665,7 +1665,13 @@ struct iio_dev *iio_device_alloc(struct device *parent, int sizeof_priv) > kfree(iio_dev_opaque); > return NULL; > } > - dev_set_name(&indio_dev->dev, "iio:device%d", iio_dev_opaque->id); > + > + if (dev_set_name(&indio_dev->dev, "iio:device%d", iio_dev_opaque->id)) { > + ida_simple_remove(&iio_ida, iio_dev_opaque->id); > + kfree(iio_dev_opaque); > + return NULL; > + } > + > INIT_LIST_HEAD(&iio_dev_opaque->buffer_list); > INIT_LIST_HEAD(&iio_dev_opaque->ioctl_handlers); >