Re: [PATCH v3] iio: frequency: admv1013: fix NULL pointer dereference on str

[Nuno Sá]

On Wed, 2026-03-04 at 11:58 +0200, Antoniu Miclaus wrote:
> When device_property_read_string() fails, str is left uninitialized
> but the code falls through to strcmp(str, ...), dereferencing a garbage
> pointer. Replace manual read/strcmp with
> device_property_match_property_string() which reads the property as a
> single string value and matches it against an array of known valid
> strings, handling the missing property case internally.
> 
> Fixes: da35a7b526d9 ("iio: frequency: admv1013: add support for ADMV1013")
> Signed-off-by: Antoniu Miclaus <antoniu.miclaus@xxxxxxxxxx>
> ---

One nit below but no need to re-spin just for that:

Reviewed-by: Nuno Sá <nuno.sa@xxxxxxxxxx>

> Changes in v3:
>  - add enum for quad SE mode indices to avoid magic numbers
>  - use designated initializers for string arrays
>  - replace switch with a lookup table for quad SE register values
> 
>  drivers/iio/frequency/admv1013.c | 55 +++++++++++++++++++-------------
>  1 file changed, 33 insertions(+), 22 deletions(-)
> 
> diff --git a/drivers/iio/frequency/admv1013.c b/drivers/iio/frequency/admv1013.c
> index 9202443ef445..afdf06a0de43 100644
> --- a/drivers/iio/frequency/admv1013.c
> +++ b/drivers/iio/frequency/admv1013.c
> @@ -90,6 +90,12 @@ enum {
>  	ADMV1013_SE_MODE_DIFF = 12
>  };
>  
> +enum {
> +	ADMV1013_QUAD_SE_DIFF,
> +	ADMV1013_QUAD_SE_POS,
> +	ADMV1013_QUAD_SE_NEG,
> +};
> +
>  struct admv1013_state {
>  	struct spi_device	*spi;
>  	struct clk		*clkin;
> @@ -512,37 +518,42 @@ static void admv1013_powerdown(void *data)
>  	admv1013_spi_update_bits(data, ADMV1013_REG_ENABLE, enable_reg_msk, enable_reg);
>  }
>  
> +static const char * const admv1013_input_modes[] = {
> +	[ADMV1013_IQ_MODE] = "iq",
> +	[ADMV1013_IF_MODE] = "if",
> +};
> +
> +static const char * const admv1013_quad_se_modes[] = {
> +	[ADMV1013_QUAD_SE_DIFF] = "diff",
> +	[ADMV1013_QUAD_SE_POS] = "se-pos",
> +	[ADMV1013_QUAD_SE_NEG] = "se-neg",
> +};
> +
> +static const unsigned int admv1013_quad_se_regvals[] = {
> +	[ADMV1013_QUAD_SE_DIFF] = ADMV1013_SE_MODE_DIFF,
> +	[ADMV1013_QUAD_SE_POS] = ADMV1013_SE_MODE_POS,
> +	[ADMV1013_QUAD_SE_NEG] = ADMV1013_SE_MODE_NEG,
> +};
> +
>  static int admv1013_properties_parse(struct admv1013_state *st)
>  {
>  	int ret;
> -	const char *str;
>  	struct device *dev = &st->spi->dev;
>  
>  	st->det_en = device_property_read_bool(dev, "adi,detector-enable");
>  
> -	ret = device_property_read_string(dev, "adi,input-mode", &str);
> -	if (ret)
> -		st->input_mode = ADMV1013_IQ_MODE;
> +	ret = device_property_match_property_string(dev, "adi,input-mode",
> +						    admv1013_input_modes,
> +						    ARRAY_SIZE(admv1013_input_modes));
> +	st->input_mode = ret >= 0 ? ret : ADMV1013_IQ_MODE;
>  
> -	if (!strcmp(str, "iq"))
> -		st->input_mode = ADMV1013_IQ_MODE;
> -	else if (!strcmp(str, "if"))
> -		st->input_mode = ADMV1013_IF_MODE;
> -	else
> -		return -EINVAL;
> +	ret = device_property_match_property_string(dev, "adi,quad-se-mode",
> +						    admv1013_quad_se_modes,
> +						    ARRAY_SIZE(admv1013_quad_se_modes));
> +	if (ret < 0)
> +		ret = ADMV1013_QUAD_SE_DIFF;
>  
> -	ret = device_property_read_string(dev, "adi,quad-se-mode", &str);
> -	if (ret)
> -		st->quad_se_mode = ADMV1013_SE_MODE_DIFF;
> -
> -	if (!strcmp(str, "diff"))
> -		st->quad_se_mode = ADMV1013_SE_MODE_DIFF;
> -	else if (!strcmp(str, "se-pos"))
> -		st->quad_se_mode = ADMV1013_SE_MODE_POS;
> -	else if (!strcmp(str, "se-neg"))
> -		st->quad_se_mode = ADMV1013_SE_MODE_NEG;
> -	else
> -		return -EINVAL;
> +	st->quad_se_mode = admv1013_quad_se_regvals[ret];

You could have kept the same style:

st->quad_se_mode = ret >= 0 ? admv1013_quad_se_regvals[ret] : ADMV1013_SE_MODE_DIFF;

yes, more that 80 col but maybe one of those justifiable cases :)

- Nuno Sá