Received: by 2002:a05:6a11:4021:0:0:0:0 with SMTP id ky33csp2847139pxb; Tue, 21 Sep 2021 08:56:05 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxLz0hkF/q62a0nX9u7wDROS5uOQc9cCOMXN/mQILrsnr2iojx6Nc2ucHJzIHA9BBS+vXYR X-Received: by 2002:a92:d40d:: with SMTP id q13mr22084547ilm.161.1632239764835; Tue, 21 Sep 2021 08:56:04 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1632239764; cv=none; d=google.com; s=arc-20160816; b=SkFIkaafLzwYvLV3o6awO361KtBzkcsGTluj5k7Almuie5Fy7mTCiUrkXrX2Sb1fCF 3ZqyEZGH0EQHQla3Uj+TQJI/A/40PAt6KtrvprN/E4Oig13O7K8V8ZOe02kB2RGlINfV YossjywbwF61/AL4ob/v6OvpAvNXrQ47JjUzSqkYVnyvkOJCl3vfnAYeyHtSnYnHaE4C 06iiUPsGbY3eD0uGYa26WZI1glnIslRnx9sVLMn3g/4+o29RREJgch4CkxQl8SE/QqFt D+o9ZEnMJJk1BQ2UG21WnBceggHMOW/JbOGxiwWJoT/72/vIJjSfrcFx1nCwrzRWkP3c vNkg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:references:in-reply-to:message-id :date:subject:cc:to:from; bh=Q/YiSItw9e/KWnS+D+7chbZuUJTL+z0/rhcTKX6/4S8=; b=jA2baCCtDge++bKoyy+Hr9lf+7NUi6Z3+cSG73l4U/8uHV2FtqNRNoHrqMNWYFVyyd LMQl6dzzgfhdyJ04jvPuVhSpjc0ORwvxlXfFFK85Tvv/x7i11Hx5a+Wt0GNz7IC2ziI2 RjRwy7eEOsOSaL37leMbOq5qOrPvR7a0px/KWaYnTDfv5zvf8oaX3DMoxHw6aC5wqBo6 9O+76CGtQ/rIP9wCxt5o+wjB84HmT8YB1NEBR9BKtu1va45hk3ho0MVMSljcFhacvPO4 xw0Ee8mTxYQ8s9QuJFpDPEN8o9ruw+fwhrwTgmSYCXbsDffn7NCoBDvZ09LiA6sirS9D OBuA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ispras.ru Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id p16si17246251iov.22.2021.09.21.08.55.53; Tue, 21 Sep 2021 08:56:04 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ispras.ru Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234317AbhIUPyc (ORCPT + 99 others); Tue, 21 Sep 2021 11:54:32 -0400 Received: from mail.ispras.ru ([83.149.199.84]:50718 "EHLO mail.ispras.ru" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234312AbhIUPyM (ORCPT ); Tue, 21 Sep 2021 11:54:12 -0400 Received: from kleverstation.intra.ispras.ru (unknown [10.10.2.220]) by mail.ispras.ru (Postfix) with ESMTPS id 424BB40755E4; Tue, 21 Sep 2021 15:52:43 +0000 (UTC) From: Nadezda Lutovinova To: Guenter Roeck Cc: Nadezda Lutovinova , Marc Hulsman , Rudolf Marek , Jean Delvare , linux-hwmon@vger.kernel.org, linux-kernel@vger.kernel.org, ldv-project@linuxtesting.org Subject: [PATCH v2 2/3] hwmon: (w83792d) Fix NULL pointer dereference by removing unnecessary structure field Date: Tue, 21 Sep 2021 18:51:52 +0300 Message-Id: <20210921155153.28098-2-lutovinova@ispras.ru> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20210921155153.28098-1-lutovinova@ispras.ru> References: <20210921155153.28098-1-lutovinova@ispras.ru> In-Reply-To: <20210811181844.GB3138792@roeck-us.net> Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org If driver read val value sufficient for (val & 0x08) && (!(val & 0x80)) && ((val & 0x7) == ((val >> 4) & 0x7)) from device then Null pointer dereference occurs. (It is possible if tmp = 0b0xyz1xyz, where same literals mean same numbers) Also lm75[] does not serve a purpose anymore after switching to devm_i2c_new_dummy_device() in w83791d_detect_subclients(). The patch fixes possible NULL pointer dereference by removing lm75[]. Found by Linux Driver Verification project (linuxtesting.org). Signed-off-by: Nadezda Lutovinova --- v2: - split one file per patch - remove lm75[] instead of adding checking --- drivers/hwmon/w83792d.c | 31 ++++++++++++++----------------- 1 file changed, 14 insertions(+), 17 deletions(-) diff --git a/drivers/hwmon/w83792d.c b/drivers/hwmon/w83792d.c index abd5c3a722b9..8a72be4ad74f 100644 --- a/drivers/hwmon/w83792d.c +++ b/drivers/hwmon/w83792d.c @@ -264,9 +264,6 @@ struct w83792d_data { char valid; /* !=0 if following fields are valid */ unsigned long last_updated; /* In jiffies */ - /* array of 2 pointers to subclients */ - struct i2c_client *lm75[2]; - u8 in[9]; /* Register value */ u8 in_max[9]; /* Register value */ u8 in_min[9]; /* Register value */ @@ -927,7 +924,6 @@ w83792d_detect_subclients(struct i2c_client *new_client) int address = new_client->addr; u8 val; struct i2c_adapter *adapter = new_client->adapter; - struct w83792d_data *data = i2c_get_clientdata(new_client); id = i2c_adapter_id(adapter); if (force_subclients[0] == id && force_subclients[1] == address) { @@ -946,20 +942,21 @@ w83792d_detect_subclients(struct i2c_client *new_client) } val = w83792d_read_value(new_client, W83792D_REG_I2C_SUBADDR); + + if (!(val & 0x88) && (val & 0x7) == ((val >> 4) & 0x7)) { + dev_err(&new_client->dev, + "duplicate addresses 0x%x, use force_subclient\n", + 0x48 + (val & 0x7)); + return -ENODEV; + } + if (!(val & 0x08)) - data->lm75[0] = devm_i2c_new_dummy_device(&new_client->dev, adapter, - 0x48 + (val & 0x7)); - if (!(val & 0x80)) { - if (!IS_ERR(data->lm75[0]) && - ((val & 0x7) == ((val >> 4) & 0x7))) { - dev_err(&new_client->dev, - "duplicate addresses 0x%x, use force_subclient\n", - data->lm75[0]->addr); - return -ENODEV; - } - data->lm75[1] = devm_i2c_new_dummy_device(&new_client->dev, adapter, - 0x48 + ((val >> 4) & 0x7)); - } + devm_i2c_new_dummy_device(&new_client->dev, adapter, + 0x48 + (val & 0x7)); + + if (!(val & 0x80)) + devm_i2c_new_dummy_device(&new_client->dev, adapter, + 0x48 + ((val >> 4) & 0x7)); return 0; } -- 2.17.1