Re: [PATCH] iio: frequency: admv1013: fix NULL pointer dereference on str
From: Nuno Sá
Date: Fri Feb 27 2026 - 11:19:47 EST
On Fri, 2026-02-27 at 15:16 +0200, Antoniu Miclaus wrote:
> When device_property_read_string() fails, str is left uninitialized
> but the code falls through to strcmp(str, ...), dereferencing a garbage
> pointer. Replace manual read/strcmp with device_property_match_string()
> which handles the missing property case internally.
>
> Fixes: da35a7b526d9 ("iio: frequency: admv1013: add support for ADMV1013")
> Signed-off-by: Antoniu Miclaus <antoniu.miclaus@xxxxxxxxxx>
> ---
Semantically it is a bit odd to use device_property_match_string() given it's for arrays.
But it allows for some code simplification so why not?! And we can always see it as
an array of 1 element :)
Reviewed-by: Nuno Sá <nuno.sa@analog>
> drivers/iio/frequency/admv1013.c | 23 +++++------------------
> 1 file changed, 5 insertions(+), 18 deletions(-)
>
> diff --git a/drivers/iio/frequency/admv1013.c b/drivers/iio/frequency/admv1013.c
> index 9202443ef445..a1f88138939d 100644
> --- a/drivers/iio/frequency/admv1013.c
> +++ b/drivers/iio/frequency/admv1013.c
> @@ -515,34 +515,21 @@ static void admv1013_powerdown(void *data)
> static int admv1013_properties_parse(struct admv1013_state *st)
> {
> int ret;
> - const char *str;
> struct device *dev = &st->spi->dev;
>
> st->det_en = device_property_read_bool(dev, "adi,detector-enable");
>
> - ret = device_property_read_string(dev, "adi,input-mode", &str);
> - if (ret)
> - st->input_mode = ADMV1013_IQ_MODE;
> -
> - if (!strcmp(str, "iq"))
> - st->input_mode = ADMV1013_IQ_MODE;
> - else if (!strcmp(str, "if"))
> + if (device_property_match_string(dev, "adi,input-mode", "if") >= 0)
> st->input_mode = ADMV1013_IF_MODE;
> else
> - return -EINVAL;
> -
> - ret = device_property_read_string(dev, "adi,quad-se-mode", &str);
> - if (ret)
> - st->quad_se_mode = ADMV1013_SE_MODE_DIFF;
> + st->input_mode = ADMV1013_IQ_MODE;
>
> - if (!strcmp(str, "diff"))
> - st->quad_se_mode = ADMV1013_SE_MODE_DIFF;
> - else if (!strcmp(str, "se-pos"))
> + if (device_property_match_string(dev, "adi,quad-se-mode", "se-pos") >= 0)
> st->quad_se_mode = ADMV1013_SE_MODE_POS;
> - else if (!strcmp(str, "se-neg"))
> + else if (device_property_match_string(dev, "adi,quad-se-mode", "se-neg") >= 0)
> st->quad_se_mode = ADMV1013_SE_MODE_NEG;
> else
> - return -EINVAL;
> + st->quad_se_mode = ADMV1013_SE_MODE_DIFF;
>
> ret = devm_regulator_bulk_get_enable(dev,
> ARRAY_SIZE(admv1013_vcc_regs),