Re: [PATCH v2] iio: imu: adis: Fix NULL pointer dereference in adis_init
From: Jonathan Cameron
Date: Sun Feb 22 2026 - 11:48:34 EST
On Fri, 20 Feb 2026 16:24:40 +0200
Andy Shevchenko <andriy.shevchenko@xxxxxxxxx> wrote:
> On Fri, Feb 20, 2026 at 04:16:41PM +0200, Radu Sabau via B4 Relay wrote:
>
> > The adis_init() function dereferences adis->ops to check if the
> > individual function pointers (write, read, reset) are NULL, but does
> > not first check if adis->ops itself is NULL.
> >
> > Drivers like adis16480, adis16490, adis16545 and others do not set
> > custom ops and rely on adis_init() assigning the defaults. Since struct
> > adis is zero-initialized by devm_iio_device_alloc(), adis->ops is NULL
> > when adis_init() is called, causing a NULL pointer dereference:
> >
> > Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
> > pc : adis_init+0xc0/0x118
> > Call trace:
> > adis_init+0xc0/0x118
> > adis16480_probe+0xe0/0x670
> >
> > Fix this by checking if adis->ops is NULL before dereferencing it,
> > falling through to assign the default ops in that case.
>
> Don't throw versions too quickly. You missed a tag from colleague of yours.
>
> > Fixes: 3b29bcee8f6f ("iio: imu: adis: Add custom ops struct")
>
> ...
>
> > - if (!adis->ops->write && !adis->ops->read && !adis->ops->reset)
> > + if (!adis->ops)
>
> I hope you have checked that this is indeed the case and we don't need this
> check anymore. (I would be glad to see it being replaced as in this patch!)
>
> Assuming this is confirmed,
> Reviewed-by: Andy Shevchenko <andriy.shevchenko@xxxxxxxxx>
>
> Collect the tags and issue a new version only on demand, and not earlier
> than 24h from previous one.
>
I picked up the tag from Antonio and applied this as well as adding a stable
marking so it'll get backported.
Note I'll be rebasing on rc1 once available, so the fixes-togreg branch
currently has a random mid merge window base.
Thanks,
Jonathan
> > adis->ops = &adis_default_ops;
> > else if (!adis->ops->write || !adis->ops->read || !adis->ops->reset)
> > return -EINVAL;
>