releases/5.10.71/hwmon-w83793-fix-null-pointer-dereference-by-removing-unnecessary-structure-field.patch - pub/scm/linux/kernel/git/stable/stable-queue - Git at Google

 From dd4d747ef05addab887dc8ff0d6ab9860bbcd783 Mon Sep 17 00:00:00 2001
 From: Nadezda Lutovinova <lutovinova@ispras.ru>
 Date: Tue, 21 Sep 2021 18:51:53 +0300
 Subject: hwmon: (w83793) Fix NULL pointer dereference by removing unnecessary structure field

 From: Nadezda Lutovinova <lutovinova@ispras.ru>

 commit dd4d747ef05addab887dc8ff0d6ab9860bbcd783 upstream.

 If driver read tmp value sufficient for
 (tmp & 0x08) && (!(tmp & 0x80)) && ((tmp & 0x7) == ((tmp >> 4) & 0x7))
 from device then Null pointer dereference occurs.
 (It is possible if tmp = 0b0xyz1xyz, where same literals mean same numbers)
 Also lm75[] does not serve a purpose anymore after switching to
 devm_i2c_new_dummy_device() in w83791d_detect_subclients().

 The patch fixes possible NULL pointer dereference by removing lm75[].

 Found by Linux Driver Verification project (linuxtesting.org).

 Cc: stable@vger.kernel.org
 Signed-off-by: Nadezda Lutovinova <lutovinova@ispras.ru>
 Link: https://lore.kernel.org/r/20210921155153.28098-3-lutovinova@ispras.ru
 [groeck: Dropped unnecessary continuation lines, fixed multi-line alignments]
 Signed-off-by: Guenter Roeck <linux@roeck-us.net>
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 ---
  drivers/hwmon/w83793.c |   26 +++++++++++---------------
  1 file changed, 11 insertions(+), 15 deletions(-)

 --- a/drivers/hwmon/w83793.c
 +++ b/drivers/hwmon/w83793.c
 @@ -202,7 +202,6 @@ static inline s8 TEMP_TO_REG(long val, s
  }

  struct w83793_data {
 -	struct i2c_client *lm75[2];
  	struct device *hwmon_dev;
  	struct mutex update_lock;
  	char valid;			/* !=0 if following fields are valid */
 @@ -1566,7 +1565,6 @@ w83793_detect_subclients(struct i2c_clie
  	int address = client->addr;
  	u8 tmp;
  	struct i2c_adapter *adapter = client->adapter;
 -	struct w83793_data *data = i2c_get_clientdata(client);

  	id = i2c_adapter_id(adapter);
  	if (force_subclients[0] == id && force_subclients[1] == address) {
 @@ -1586,21 +1584,19 @@ w83793_detect_subclients(struct i2c_clie
  	}

  	tmp = w83793_read_value(client, W83793_REG_I2C_SUBADDR);
 -	if (!(tmp & 0x08))
 -		data->lm75[0] = devm_i2c_new_dummy_device(&client->dev, adapter,
 -							  0x48 + (tmp & 0x7));
 -	if (!(tmp & 0x80)) {
 -		if (!IS_ERR(data->lm75[0])
 -		    && ((tmp & 0x7) == ((tmp >> 4) & 0x7))) {
 -			dev_err(&client->dev,
 -				"duplicate addresses 0x%x, "
 -				"use force_subclients\n", data->lm75[0]->addr);
 -			return -ENODEV;
 -		}
 -		data->lm75[1] = devm_i2c_new_dummy_device(&client->dev, adapter,
 -							  0x48 + ((tmp >> 4) & 0x7));
 +
 +	if (!(tmp & 0x88) && (tmp & 0x7) == ((tmp >> 4) & 0x7)) {
 +		dev_err(&client->dev,
 +			"duplicate addresses 0x%x, use force_subclient\n", 0x48 + (tmp & 0x7));
 +		return -ENODEV;
  	}

 +	if (!(tmp & 0x08))
 +		devm_i2c_new_dummy_device(&client->dev, adapter, 0x48 + (tmp & 0x7));
 +
 +	if (!(tmp & 0x80))
 +		devm_i2c_new_dummy_device(&client->dev, adapter, 0x48 + ((tmp >> 4) & 0x7));
 +
  	return 0;
  }
	From dd4d747ef05addab887dc8ff0d6ab9860bbcd783 Mon Sep 17 00:00:00 2001
	From: Nadezda Lutovinova <lutovinova@ispras.ru>
	Date: Tue, 21 Sep 2021 18:51:53 +0300
	Subject: hwmon: (w83793) Fix NULL pointer dereference by removing unnecessary structure field

	From: Nadezda Lutovinova <lutovinova@ispras.ru>

	commit dd4d747ef05addab887dc8ff0d6ab9860bbcd783 upstream.

	If driver read tmp value sufficient for
	(tmp & 0x08) && (!(tmp & 0x80)) && ((tmp & 0x7) == ((tmp >> 4) & 0x7))
	from device then Null pointer dereference occurs.
	(It is possible if tmp = 0b0xyz1xyz, where same literals mean same numbers)
	Also lm75[] does not serve a purpose anymore after switching to
	devm_i2c_new_dummy_device() in w83791d_detect_subclients().

	The patch fixes possible NULL pointer dereference by removing lm75[].

	Found by Linux Driver Verification project (linuxtesting.org).

	Cc: stable@vger.kernel.org
	Signed-off-by: Nadezda Lutovinova <lutovinova@ispras.ru>
	Link: https://lore.kernel.org/r/20210921155153.28098-3-lutovinova@ispras.ru
	[groeck: Dropped unnecessary continuation lines, fixed multi-line alignments]
	Signed-off-by: Guenter Roeck <linux@roeck-us.net>
	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	---
	drivers/hwmon/w83793.c \| 26 +++++++++++---------------
	1 file changed, 11 insertions(+), 15 deletions(-)

	--- a/drivers/hwmon/w83793.c
	+++ b/drivers/hwmon/w83793.c
	@@ -202,7 +202,6 @@ static inline s8 TEMP_TO_REG(long val, s
	}

	struct w83793_data {
	- struct i2c_client *lm75[2];
	struct device *hwmon_dev;
	struct mutex update_lock;
	char valid; /* !=0 if following fields are valid */
	@@ -1566,7 +1565,6 @@ w83793_detect_subclients(struct i2c_clie
	int address = client->addr;
	u8 tmp;
	struct i2c_adapter *adapter = client->adapter;
	- struct w83793_data *data = i2c_get_clientdata(client);

	id = i2c_adapter_id(adapter);
	if (force_subclients[0] == id && force_subclients[1] == address) {
	@@ -1586,21 +1584,19 @@ w83793_detect_subclients(struct i2c_clie
	}

	tmp = w83793_read_value(client, W83793_REG_I2C_SUBADDR);
	- if (!(tmp & 0x08))
	- data->lm75[0] = devm_i2c_new_dummy_device(&client->dev, adapter,
	- 0x48 + (tmp & 0x7));
	- if (!(tmp & 0x80)) {
	- if (!IS_ERR(data->lm75[0])
	- && ((tmp & 0x7) == ((tmp >> 4) & 0x7))) {
	- dev_err(&client->dev,
	- "duplicate addresses 0x%x, "
	- "use force_subclients\n", data->lm75[0]->addr);
	- return -ENODEV;
	- }
	- data->lm75[1] = devm_i2c_new_dummy_device(&client->dev, adapter,
	- 0x48 + ((tmp >> 4) & 0x7));
	+
	+ if (!(tmp & 0x88) && (tmp & 0x7) == ((tmp >> 4) & 0x7)) {
	+ dev_err(&client->dev,
	+ "duplicate addresses 0x%x, use force_subclient\n", 0x48 + (tmp & 0x7));
	+ return -ENODEV;
	}

	+ if (!(tmp & 0x08))
	+ devm_i2c_new_dummy_device(&client->dev, adapter, 0x48 + (tmp & 0x7));
	+
	+ if (!(tmp & 0x80))
	+ devm_i2c_new_dummy_device(&client->dev, adapter, 0x48 + ((tmp >> 4) & 0x7));
	+
	return 0;
	}