[lvc-project] [PATCH] i2c: Fix NULL pointer dereference in npcm_i2c_reg_slave
Fedor Pchelkin
pchelkin at ispras.ru
Wed Jan 10 12:16:36 MSK 2024
On 24/01/09 07:29PM, Fedor Pchelkin wrote:
> On 24/01/09 06:25PM, Fedor Pchelkin wrote:
> > Hi Rand,
> >
> > On 24/01/09 05:51PM, Rand Deeb wrote:
> > > In the npcm_i2c_reg_slave function, a potential NULL pointer dereference
> > > issue occurs when 'client' is NULL. This patch adds a proper NULL check for
> > > 'client' at the beginning of the function to prevent undefined behavior.
> >
> > Could you please explain how npcm_i2c_reg_slave() can be called with a
> > potential NULL argument?
> >
> > It is called via a function pointer ->reg_slave. As for 6.7 release, I
> > can only see it called from i2c_slave_register() here [1], and it seems
> > client definitely can't be NULL there.
> >
> > Maybe it can happen for another kernel release (not upstream)?
> >
> > [1]: https://elixir.bootlin.com/linux/latest/source/drivers/i2c/i2c-core-slave.c#L48
>
> Just checked the related code from 5.10. And still can't see the problem
> your patch is fixing.
>
> Moreover, if the problem actually existed then other drivers
> implementing the ->reg_slave function also would need the fix... So the
> questions from my first reply still remain.
I'm sorry, totally missed that the original code is for some reason doing
this buggy check with returning EINVAL
bus->slave = client;
if (!bus->slave)
return -EINVAL;
But with the previous remarks I think this check should just be removed
since `client` can't be NULL. I'll ask this question in lkml.
More information about the lvc-project
mailing list