drivers: thermal: tsens: Fix null pointer dereference

Message ID	20240405090720.16419-1-amishin@t-argos.ru
State	New
Headers	show Received: from mx1.t-argos.ru (mx1.t-argos.ru [109.73.34.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7958C15FA95; Fri, 5 Apr 2024 09:10:10 +0000 (UTC) From: Aleksandr Mishin <amishin@t-argos.ru> To: Christian Marangi <ansuelsmth@gmail.com> CC: Aleksandr Mishin <amishin@t-argos.ru>, Amit Kucheria <amitk@kernel.org>, Thara Gopinath <thara.gopinath@gmail.com>, Bjorn Andersson <andersson@kernel.org>, Konrad Dybcio <konrad.dybcio@linaro.org>, "Rafael J. Wysocki" <rafael@kernel.org>, Daniel Lezcano <daniel.lezcano@linaro.org>, Zhang Rui <rui.zhang@intel.com>, Lukasz Luba <lukasz.luba@arm.com>, <linux-pm@vger.kernel.org>, <linux-arm-msm@vger.kernel.org>, <linux-kernel@vger.kernel.org>, <lvc-project@linuxtesting.org> Subject: [PATCH] drivers: thermal: tsens: Fix null pointer dereference Date: Fri, 5 Apr 2024 12:07:20 +0300 Message-ID: <20240405090720.16419-1-amishin@t-argos.ru> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain FromAlignment: s bases: 2024/04/05 06:54:00 bases: 2024/04/05 07:02:00 #24662400
Series	drivers: thermal: tsens: Fix null pointer dereference \| expand drivers: thermal: tsens: Fix null pointer dereference

Message ID

20240405090720.16419-1-amishin@t-argos.ru

State

New

Headers

From: Aleksandr Mishin <amishin@t-argos.ru>
To: Christian Marangi <ansuelsmth@gmail.com>
CC: Aleksandr Mishin <amishin@t-argos.ru>, Amit Kucheria <amitk@kernel.org>,
	Thara Gopinath <thara.gopinath@gmail.com>, Bjorn Andersson
	<andersson@kernel.org>, Konrad Dybcio <konrad.dybcio@linaro.org>, "Rafael J.
 Wysocki" <rafael@kernel.org>, Daniel Lezcano <daniel.lezcano@linaro.org>,
	Zhang Rui <rui.zhang@intel.com>, Lukasz Luba <lukasz.luba@arm.com>,
	<linux-pm@vger.kernel.org>, <linux-arm-msm@vger.kernel.org>,
	<linux-kernel@vger.kernel.org>, <lvc-project@linuxtesting.org>
Subject: [PATCH] drivers: thermal: tsens: Fix null pointer dereference
Date: Fri, 5 Apr 2024 12:07:20 +0300
Message-ID: <20240405090720.16419-1-amishin@t-argos.ru>
Precedence: bulk
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/plain

Series

drivers: thermal: tsens: Fix null pointer dereference | expand

Commit Message

Aleksandr Mishin April 5, 2024, 9:07 a.m. UTC

compute_intercept_slope() is called from calibrate_8960() (in tsens-8960.c)
as compute_intercept_slope(priv, p1, NULL, ONE_PT_CALIB) which lead to null
pointer dereference (if DEBUG or DYNAMIC_DEBUG set).
Fix this bug by adding null pointer check.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Fixes: dfc1193d4dbd ("thermal/drivers/tsens: Replace custom 8960 apis with generic apis")
Signed-off-by: Aleksandr Mishin <amishin@t-argos.ru>
---
 drivers/thermal/qcom/tsens.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

Comments

Konrad Dybcio April 9, 2024, 9:52 a.m. UTC | #1

On 4/5/24 11:07, Aleksandr Mishin wrote:
> compute_intercept_slope() is called from calibrate_8960() (in tsens-8960.c)
> as compute_intercept_slope(priv, p1, NULL, ONE_PT_CALIB) which lead to null
> pointer dereference (if DEBUG or DYNAMIC_DEBUG set).
> Fix this bug by adding null pointer check.
> 
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
> 
> Fixes: dfc1193d4dbd ("thermal/drivers/tsens: Replace custom 8960 apis with generic apis")
> Signed-off-by: Aleksandr Mishin <amishin@t-argos.ru>
> ---

Maybe we can replace p2[i] with p2 ? p2[i] : 0

Konrad

Aleksandr Mishin April 11, 2024, 11:24 a.m. UTC | #2

On 09.04.2024 12:52, Konrad Dybcio wrote:
> 
> 
> On 4/5/24 11:07, Aleksandr Mishin wrote:
>> compute_intercept_slope() is called from calibrate_8960() (in 
>> tsens-8960.c)
>> as compute_intercept_slope(priv, p1, NULL, ONE_PT_CALIB) which lead to 
>> null
>> pointer dereference (if DEBUG or DYNAMIC_DEBUG set).
>> Fix this bug by adding null pointer check.
>>
>> Found by Linux Verification Center (linuxtesting.org) with SVACE.
>>
>> Fixes: dfc1193d4dbd ("thermal/drivers/tsens: Replace custom 8960 apis 
>> with generic apis")
>> Signed-off-by: Aleksandr Mishin <amishin@t-argos.ru>
>> ---
> 
> Maybe we can replace p2[i] with p2 ? p2[i] : 0

Your solution look better for me. Thanks. I'll offer v2 patch

> 
> Konrad

diff --git a/drivers/thermal/qcom/tsens.c b/drivers/thermal/qcom/tsens.c
index 6d7c16ccb44d..f7dd70e8d158 100644
--- a/drivers/thermal/qcom/tsens.c
+++ b/drivers/thermal/qcom/tsens.c
@@ -262,9 +262,10 @@  void compute_intercept_slope(struct tsens_priv *priv, u32 *p1,
 	int num, den;
 
 	for (i = 0; i < priv->num_sensors; i++) {
-		dev_dbg(priv->dev,
-			"%s: sensor%d - data_point1:%#x data_point2:%#x\n",
-			__func__, i, p1[i], p2[i]);
+		if (p1 && p2)
+			dev_dbg(priv->dev,
+				"%s: sensor%d - data_point1:%#x data_point2:%#x\n",
+				__func__, i, p1[i], p2[i]);
 
 		if (!priv->sensor[i].slope)
 			priv->sensor[i].slope = SLOPE_DEFAULT;

drivers: thermal: tsens: Fix null pointer dereference

Commit Message

Comments

Patch