Re: [PATCH] i2c: cp2615: fix serial string NULL-deref at probe
From: Bence Csókás
Date: Wed Mar 11 2026 - 17:40:39 EST
Reviewed-by: Bence Csókás <bence98@xxxxxxxxxx>
On 3/9/26 08:50, Johan Hovold wrote:
The cp2615 driver uses the USB device serial string as the i2c adapter
name but does not make sure that the string exists.
Verify that the device has a serial number before accessing it to avoid
triggering a NULL-pointer dereference (e.g. with malicious devices).
Fixes: 4a7695429ead ("i2c: cp2615: add i2c driver for Silicon Labs' CP2615 Digital Audio Bridge")
Cc: stable@xxxxxxxxxxxxxxx # 5.13
Cc: Bence Csókás <bence98@xxxxxxxxxx>
Signed-off-by: Johan Hovold <johan@xxxxxxxxxx>
---
drivers/i2c/busses/i2c-cp2615.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/i2c/busses/i2c-cp2615.c b/drivers/i2c/busses/i2c-cp2615.c
index c1dbf7961a02..951de6249834 100644
--- a/drivers/i2c/busses/i2c-cp2615.c
+++ b/drivers/i2c/busses/i2c-cp2615.c
@@ -297,6 +297,9 @@ cp2615_i2c_probe(struct usb_interface *usbif, const struct usb_device_id *id)
if (!adap)
return -ENOMEM;
+ if (!usbdev->serial)
+ return -EINVAL;
+
strscpy(adap->name, usbdev->serial, sizeof(adap->name));
adap->owner = THIS_MODULE;
adap->dev.parent = &usbif->dev;
I didn't realize at the time I wrote this that `serial` can be NULL, I was under the impression that the USB core would pass me an empty string if there's no iSerial string descriptor (alas, it does not).
AFAIK real CP2615s will always have a serial, so returning error should not be a major problem. However, we could just as easily skip `strscpy()` and go on with the probe with an empty name. But I'm fine with either solution.
Bence