iio: cm36651: Fix i2c client leak and possible NULL pointer dereference

During probe the driver allocates dummy I2C devices (i2c_new_dummy()) but they aren't unregistered during driver remove or probe failure. Additionally driver does not check the return value of i2c_new_dummy(). In case of error (i2c_new_device(): memory allocation failure or I2C address cannot be used) this function returns NULL which is later dereferenced by i2c_smbus_{read,write}_data() functions. Fix issues by properly checking for i2c_new_dummy() return value and unregistering I2C devices on driver remove or probe failure. Signed-off-by: Krzysztof Kozlowski <k.kozlowski@samsung.com> Acked-by: Beomho Seo <beomho.seo@samsung.com> Cc: stable@vger.kernel.org Signed-off-by: Jonathan Cameron <jic23@kernel.org>
author: Krzysztof Kozlowski <k.kozlowski@samsung.com> 2014-03-18 04:13:00 -0400
committer: Jonathan Cameron <jic23@kernel.org> 2014-03-22 08:22:49 -0400
commit: d0a588a57c2b0748df8307a0865a1bbbf1624c53 (patch)
tree: 38af1f01d38a1b036aef4e9060aea61af1c84336
parent: 2076a20fc1a06f7b0333c62a2bb4eeeac7ed1bcb (diff)
1 files changed, 20 insertions, 2 deletions
diff --git a/drivers/iio/light/cm36651.c b/drivers/iio/light/cm36651.c
index a45e07492db3..39fc67e82138 100644
--- a/drivers/iio/light/cm36651.c
+++ b/drivers/iio/light/cm36651.c
@@ -652,7 +652,19 @@ static int cm36651_probe(struct i2c_client *client,
        cm36651->client = client;
        cm36651->ps_client = i2c_new_dummy(client->adapter,
                                                     CM36651_I2C_ADDR_PS);
+        if (!cm36651->ps_client) {
+                dev_err(&client->dev, "%s: new i2c device failed\n", __func__);
+                ret = -ENODEV;
+                goto error_disable_reg;
+        }
        cm36651->ara_client = i2c_new_dummy(client->adapter, CM36651_ARA);
+        if (!cm36651->ara_client) {
+                dev_err(&client->dev, "%s: new i2c device failed\n", __func__);
+                ret = -ENODEV;
+                goto error_i2c_unregister_ps;
+        }
        mutex_init(&cm36651->lock);
        indio_dev->dev.parent = &client->dev;
        indio_dev->channels = cm36651_channels;
@@ -664,7 +676,7 @@ static int cm36651_probe(struct i2c_client *client,
        ret = cm36651_setup_reg(cm36651);
        if (ret) {
                dev_err(&client->dev, "%s: register setup failed\n", __func__);
-                goto error_disable_reg;
+                goto error_i2c_unregister_ara;
        }
        ret = request_threaded_irq(client->irq, NULL, cm36651_irq_handler,
@@ -672,7 +684,7 @@ static int cm36651_probe(struct i2c_client *client,
                                                        "cm36651", indio_dev);
        if (ret) {
                dev_err(&client->dev, "%s: request irq failed\n", __func__);
-                goto error_disable_reg;
+                goto error_i2c_unregister_ara;
        }
        ret = iio_device_register(indio_dev);
@@ -685,6 +697,10 @@ static int cm36651_probe(struct i2c_client *client,
 error_free_irq:
        free_irq(client->irq, indio_dev);
+error_i2c_unregister_ara:
+        i2c_unregister_device(cm36651->ara_client);
+error_i2c_unregister_ps:
+        i2c_unregister_device(cm36651->ps_client);
 error_disable_reg:
        regulator_disable(cm36651->vled_reg);
        return ret;
@@ -698,6 +714,8 @@ static int cm36651_remove(struct i2c_client *client)
        iio_device_unregister(indio_dev);
        regulator_disable(cm36651->vled_reg);
        free_irq(client->irq, indio_dev);
+        i2c_unregister_device(cm36651->ps_client);
+        i2c_unregister_device(cm36651->ara_client);
        return 0;
 }
author	Krzysztof Kozlowski <k.kozlowski@samsung.com>	2014-03-18 04:13:00 -0400
committer	Jonathan Cameron <jic23@kernel.org>	2014-03-22 08:22:49 -0400
commit	d0a588a57c2b0748df8307a0865a1bbbf1624c53 (patch)
tree	38af1f01d38a1b036aef4e9060aea61af1c84336
parent	2076a20fc1a06f7b0333c62a2bb4eeeac7ed1bcb (diff)