Re: [PATCH] iio: adc: Variables could be uninitalized if regmap_read() fails

From: Jonathan Cameron
Date: Tue Oct 01 2019 - 05:18:31 EST


On Sun, 29 Sep 2019 22:25:39 -0700
Yizhuo <yzhai003@xxxxxxx> wrote:

> Several functions in this file are trying to use regmap_read() to
> initialize the specific variable, however, if regmap_read() fails,
> the variable could be uninitialized but used directly, which is
> potentially unsafe. The return value of regmap_read() should be
> checked and handled.
>
> Signed-off-by: Yizhuo <yzhai003@xxxxxxx>
I haven't checked if this one has a clock, but there is a bigger issue.
See inline.

Jonathan

> ---
> drivers/iio/adc/bcm_iproc_adc.c | 45 ++++++++++++++++++++++++++++-----
> 1 file changed, 39 insertions(+), 6 deletions(-)
>
> diff --git a/drivers/iio/adc/bcm_iproc_adc.c b/drivers/iio/adc/bcm_iproc_adc.c
> index 646ebdc0a8b4..6df19ceb5ff2 100644
> --- a/drivers/iio/adc/bcm_iproc_adc.c
> +++ b/drivers/iio/adc/bcm_iproc_adc.c
> @@ -137,6 +137,7 @@ static irqreturn_t iproc_adc_interrupt_thread(int irq, void *data)
> u32 channel_intr_status;
> u32 intr_status;
> u32 intr_mask;
> + int ret;
> struct iio_dev *indio_dev = data;
> struct iproc_adc_priv *adc_priv = iio_priv(indio_dev);
>
> @@ -145,8 +146,19 @@ static irqreturn_t iproc_adc_interrupt_thread(int irq, void *data)
> * Make sure this interrupt is intended for us.
> * Handle only ADC channel specific interrupts.
> */
> - regmap_read(adc_priv->regmap, IPROC_INTERRUPT_STATUS, &intr_status);
> - regmap_read(adc_priv->regmap, IPROC_INTERRUPT_MASK, &intr_mask);
> + ret = regmap_read(adc_priv->regmap,
> + IPROC_INTERRUPT_STATUS, &intr_status);
> + if (ret) {
> + dev_err(&indio_dev->dev, "Fail to read IPROC_INTERRUPT_STATUS.\n");
> + return ret;
> + }
> +
> + ret = regmap_read(adc_priv->regmap, IPROC_INTERRUPT_MASK, &intr_mask);
> + if (ret) {
> + dev_err(&indio_dev->dev, "Fail to read IPROC_INTERRUPT_MASK.\n");
> + return ret;
> + }
You need to be extremely careful returning error codes from interrupt routines..

Basically you can't ;)

> +
> intr_status = intr_status & intr_mask;
> channel_intr_status = (intr_status & IPROC_ADC_INTR_MASK) >>
> IPROC_ADC_INTR;
> @@ -162,6 +174,7 @@ static irqreturn_t iproc_adc_interrupt_handler(int irq, void *data)
> struct iproc_adc_priv *adc_priv;
> struct iio_dev *indio_dev = data;
> unsigned int valid_entries;
> + int ret;
> u32 intr_status;
> u32 intr_channels;
> u32 channel_status;
> @@ -169,23 +182,37 @@ static irqreturn_t iproc_adc_interrupt_handler(int irq, void *data)
>
> adc_priv = iio_priv(indio_dev);
>
> - regmap_read(adc_priv->regmap, IPROC_INTERRUPT_STATUS, &intr_status);
> + ret = regmap_read(adc_priv->regmap,
> + IPROC_INTERRUPT_STATUS, &intr_status);
> + if (ret) {
> + dev_err(&indio_dev->dev, "Fail to read IPROC_INTERRUPT_STATUS.\n");
> + return ret;
> + }
> +
> dev_dbg(&indio_dev->dev, "iproc_adc_interrupt_handler(),INTRPT_STS:%x\n",
> intr_status);
>
> intr_channels = (intr_status & IPROC_ADC_INTR_MASK) >> IPROC_ADC_INTR;
> if (intr_channels) {
> - regmap_read(adc_priv->regmap,
> + ret = regmap_read(adc_priv->regmap,
> IPROC_ADC_CHANNEL_INTERRUPT_STATUS +
> IPROC_ADC_CHANNEL_OFFSET * adc_priv->chan_id,
> &ch_intr_status);
> + if (ret) {
> + dev_err(&indio_dev->dev, "Fail to read the register.\n");
> + return ret;
> + }
>
> if (ch_intr_status & IPROC_ADC_CHANNEL_WTRMRK_INTR_MASK) {
> - regmap_read(adc_priv->regmap,
> + ret = regmap_read(adc_priv->regmap,
> IPROC_ADC_CHANNEL_STATUS +
> IPROC_ADC_CHANNEL_OFFSET *
> adc_priv->chan_id,
> &channel_status);
> + if (ret) {
> + dev_err(&indio_dev->dev, "Fail to read the register.\n");
> + return ret;
> + }
>
> valid_entries = ((channel_status &
> IPROC_ADC_CHANNEL_VALID_ENTERIES_MASK) >>
> @@ -230,6 +257,7 @@ static int iproc_adc_do_read(struct iio_dev *indio_dev,
> u32 mask;
> u32 val_check;
> int failed_cnt = 0;
> + int ret;
> struct iproc_adc_priv *adc_priv = iio_priv(indio_dev);
>
> mutex_lock(&adc_priv->mutex);
> @@ -284,7 +312,12 @@ static int iproc_adc_do_read(struct iio_dev *indio_dev,
> * Testing has shown that this may loop a few time, but we have never
> * hit the full count.
> */
> - regmap_read(adc_priv->regmap, IPROC_INTERRUPT_MASK, &val_check);
> + ret = regmap_read(adc_priv->regmap, IPROC_INTERRUPT_MASK, &val_check);
> + if (ret) {
> + dev_err(&indio_dev->dev, "Fail to read IPROC_INTERRUPT_MASK.\n");
> + return ret;
> + }
> +
> while (val_check != val) {
> failed_cnt++;
>