media: i2c: tda1997x: prevent potential NULL pointer access

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

i2c_new_dummy() can fail returning a NULL pointer. This is not checked
and the returned pointer is blindly used. Convert to
devm_i2c_new_dummy_client() which returns an ERR_PTR and also add a
validity check. Using devm_* here also fixes a leak because the dummy
client was not released in the probe error path.

Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>

authored by

Wolfram Sang and committed by

Mauro Carvalho Chehab 6 years ago 2f822f1d 53f5d7a4

+7 -2

1 changed file

expand all

drivers

media

i2c

tda1997x.c

+7 -2

drivers/media/i2c/tda1997x.c

··· 2691 2691 } 2692 2692 2693 2693 ret = 0x34 + ((io_read(sd, REG_SLAVE_ADDR)>>4) & 0x03); 2694 - state->client_cec = i2c_new_dummy(client->adapter, ret); 2694 + state->client_cec = devm_i2c_new_dummy_device(&client->dev, 2695 + client->adapter, ret); 2696 + if (IS_ERR(state->client_cec)) { 2697 + ret = PTR_ERR(state->client_cec); 2698 + goto err_free_mutex; 2699 + } 2700 + 2695 2701 v4l_info(client, "CEC slave address 0x%02x\n", ret); 2696 2702 2697 2703 ret = tda1997x_core_init(sd); ··· 2804 2798 media_entity_cleanup(&sd->entity); 2805 2799 v4l2_ctrl_handler_free(&state->hdl); 2806 2800 regulator_bulk_disable(TDA1997X_NUM_SUPPLIES, state->supplies); 2807 - i2c_unregister_device(state->client_cec); 2808 2801 cancel_delayed_work(&state->delayed_work_enable_hpd); 2809 2802 mutex_destroy(&state->page_lock); 2810 2803 mutex_destroy(&state->lock);