| Message ID | 20221117024558.4014-1-shangxiaojing@huawei.com (mailing list archive) |
|---|---|
| State | Handled Elsewhere, archived |
| Headers | show |
| Series | power: supply: cw2015: Fix potential null-ptr-deref in cw_bat_probe() | expand |
Hi, On Thu, Nov 17, 2022 at 10:45:58AM +0800, Shang XiaoJing wrote: > cw_bat_probe() calls create_singlethread_workqueue() and not checked the > ret value, which may return NULL. And a null-ptr-deref may happen: > > cw_bat_probe() > create_singlethread_workqueue() # failed, cw_bat->wq is NULL > queue_delayed_work() > queue_delayed_work_on() > __queue_delayed_work() # warning here, but continue > __queue_work() # access wq->flags, null-ptr-deref > > Check the ret value and return -ENOMEM if it is NULL. > > Fixes: b4c7715c10c1 ("power: supply: add CellWise cw2015 fuel gauge driver") > Signed-off-by: Shang XiaoJing <shangxiaojing@huawei.com> > --- Thanks, queued. -- Sebastian > drivers/power/supply/cw2015_battery.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/drivers/power/supply/cw2015_battery.c b/drivers/power/supply/cw2015_battery.c > index 6d52641151d9..473522b4326a 100644 > --- a/drivers/power/supply/cw2015_battery.c > +++ b/drivers/power/supply/cw2015_battery.c > @@ -699,6 +699,9 @@ static int cw_bat_probe(struct i2c_client *client) > } > > cw_bat->battery_workqueue = create_singlethread_workqueue("rk_battery"); > + if (!cw_bat->battery_workqueue) > + return -ENOMEM; > + > devm_delayed_work_autocancel(&client->dev, > &cw_bat->battery_delay_work, cw_bat_work); > queue_delayed_work(cw_bat->battery_workqueue, > -- > 2.17.1 >
diff --git a/drivers/power/supply/cw2015_battery.c b/drivers/power/supply/cw2015_battery.c index 6d52641151d9..473522b4326a 100644 --- a/drivers/power/supply/cw2015_battery.c +++ b/drivers/power/supply/cw2015_battery.c @@ -699,6 +699,9 @@ static int cw_bat_probe(struct i2c_client *client) } cw_bat->battery_workqueue = create_singlethread_workqueue("rk_battery"); + if (!cw_bat->battery_workqueue) + return -ENOMEM; + devm_delayed_work_autocancel(&client->dev, &cw_bat->battery_delay_work, cw_bat_work); queue_delayed_work(cw_bat->battery_workqueue,
cw_bat_probe() calls create_singlethread_workqueue() and not checked the ret value, which may return NULL. And a null-ptr-deref may happen: cw_bat_probe() create_singlethread_workqueue() # failed, cw_bat->wq is NULL queue_delayed_work() queue_delayed_work_on() __queue_delayed_work() # warning here, but continue __queue_work() # access wq->flags, null-ptr-deref Check the ret value and return -ENOMEM if it is NULL. Fixes: b4c7715c10c1 ("power: supply: add CellWise cw2015 fuel gauge driver") Signed-off-by: Shang XiaoJing <shangxiaojing@huawei.com> --- drivers/power/supply/cw2015_battery.c | 3 +++ 1 file changed, 3 insertions(+)