1. Patchew
  2. linux
  3. View series

[PATCH] iio: frequency: admv1013: fix NULL pointer dereference on str

Antoniu Miclaus posted 1 patch 1 month, 1 week ago
There is a newer version of this series
drivers/iio/frequency/admv1013.c | 23 +++++------------------
1 file changed, 5 insertions(+), 18 deletions(-)
[PATCH] iio: frequency: admv1013: fix NULL pointer dereference on str
Posted by Antoniu Miclaus 1 month, 1 week ago 
When device_property_read_string() fails, str is left uninitialized
but the code falls through to strcmp(str, ...), dereferencing a garbage
pointer. Replace manual read/strcmp with device_property_match_string()
which handles the missing property case internally.

Fixes: da35a7b526d9 ("iio: frequency: admv1013: add support for ADMV1013")
Signed-off-by: Antoniu Miclaus <antoniu.miclaus@analog.com>
---
 drivers/iio/frequency/admv1013.c | 23 +++++------------------
 1 file changed, 5 insertions(+), 18 deletions(-)

diff --git a/drivers/iio/frequency/admv1013.c b/drivers/iio/frequency/admv1013.c
index 9202443ef445..a1f88138939d 100644
--- a/drivers/iio/frequency/admv1013.c
+++ b/drivers/iio/frequency/admv1013.c
@@ -515,34 +515,21 @@ static void admv1013_powerdown(void *data)
 static int admv1013_properties_parse(struct admv1013_state *st)
 {
 	int ret;
-	const char *str;
 	struct device *dev = &st->spi->dev;
 
 	st->det_en = device_property_read_bool(dev, "adi,detector-enable");
 
-	ret = device_property_read_string(dev, "adi,input-mode", &str);
-	if (ret)
-		st->input_mode = ADMV1013_IQ_MODE;
-
-	if (!strcmp(str, "iq"))
-		st->input_mode = ADMV1013_IQ_MODE;
-	else if (!strcmp(str, "if"))
+	if (device_property_match_string(dev, "adi,input-mode", "if") >= 0)
 		st->input_mode = ADMV1013_IF_MODE;
 	else
-		return -EINVAL;
-
-	ret = device_property_read_string(dev, "adi,quad-se-mode", &str);
-	if (ret)
-		st->quad_se_mode = ADMV1013_SE_MODE_DIFF;
+		st->input_mode = ADMV1013_IQ_MODE;
 
-	if (!strcmp(str, "diff"))
-		st->quad_se_mode = ADMV1013_SE_MODE_DIFF;
-	else if (!strcmp(str, "se-pos"))
+	if (device_property_match_string(dev, "adi,quad-se-mode", "se-pos") >= 0)
 		st->quad_se_mode = ADMV1013_SE_MODE_POS;
-	else if (!strcmp(str, "se-neg"))
+	else if (device_property_match_string(dev, "adi,quad-se-mode", "se-neg") >= 0)
 		st->quad_se_mode = ADMV1013_SE_MODE_NEG;
 	else
-		return -EINVAL;
+		st->quad_se_mode = ADMV1013_SE_MODE_DIFF;
 
 	ret = devm_regulator_bulk_get_enable(dev,
 					     ARRAY_SIZE(admv1013_vcc_regs),
-- 
2.43.0
Re: [PATCH] iio: frequency: admv1013: fix NULL pointer dereference on str
Posted by Nuno Sá 1 month, 1 week ago 
On Fri, 2026-02-27 at 15:16 +0200, Antoniu Miclaus wrote:
> When device_property_read_string() fails, str is left uninitialized
> but the code falls through to strcmp(str, ...), dereferencing a garbage
> pointer. Replace manual read/strcmp with device_property_match_string()
> which handles the missing property case internally.
> 
> Fixes: da35a7b526d9 ("iio: frequency: admv1013: add support for ADMV1013")
> Signed-off-by: Antoniu Miclaus <antoniu.miclaus@analog.com>
> ---

Semantically it is a bit odd to use device_property_match_string() given it's for arrays.
But it allows for some code simplification so why not?! And we can always see it as
an array of 1 element :)

Reviewed-by: Nuno Sá <nuno.sa@analog>

>  drivers/iio/frequency/admv1013.c | 23 +++++------------------
>  1 file changed, 5 insertions(+), 18 deletions(-)
> 
> diff --git a/drivers/iio/frequency/admv1013.c b/drivers/iio/frequency/admv1013.c
> index 9202443ef445..a1f88138939d 100644
> --- a/drivers/iio/frequency/admv1013.c
> +++ b/drivers/iio/frequency/admv1013.c
> @@ -515,34 +515,21 @@ static void admv1013_powerdown(void *data)
>  static int admv1013_properties_parse(struct admv1013_state *st)
>  {
>  	int ret;
> -	const char *str;
>  	struct device *dev = &st->spi->dev;
>  
>  	st->det_en = device_property_read_bool(dev, "adi,detector-enable");
>  
> -	ret = device_property_read_string(dev, "adi,input-mode", &str);
> -	if (ret)
> -		st->input_mode = ADMV1013_IQ_MODE;
> -
> -	if (!strcmp(str, "iq"))
> -		st->input_mode = ADMV1013_IQ_MODE;
> -	else if (!strcmp(str, "if"))
> +	if (device_property_match_string(dev, "adi,input-mode", "if") >= 0)
>  		st->input_mode = ADMV1013_IF_MODE;
>  	else
> -		return -EINVAL;
> -
> -	ret = device_property_read_string(dev, "adi,quad-se-mode", &str);
> -	if (ret)
> -		st->quad_se_mode = ADMV1013_SE_MODE_DIFF;
> +		st->input_mode = ADMV1013_IQ_MODE;
>  
> -	if (!strcmp(str, "diff"))
> -		st->quad_se_mode = ADMV1013_SE_MODE_DIFF;
> -	else if (!strcmp(str, "se-pos"))
> +	if (device_property_match_string(dev, "adi,quad-se-mode", "se-pos") >= 0)
>  		st->quad_se_mode = ADMV1013_SE_MODE_POS;
> -	else if (!strcmp(str, "se-neg"))
> +	else if (device_property_match_string(dev, "adi,quad-se-mode", "se-neg") >= 0)
>  		st->quad_se_mode = ADMV1013_SE_MODE_NEG;
>  	else
> -		return -EINVAL;
> +		st->quad_se_mode = ADMV1013_SE_MODE_DIFF;
>  
>  	ret = devm_regulator_bulk_get_enable(dev,
>  					     ARRAY_SIZE(admv1013_vcc_regs),
Re: [PATCH] iio: frequency: admv1013: fix NULL pointer dereference on str
Posted by Andy Shevchenko 1 month, 1 week ago 
On Fri, Feb 27, 2026 at 04:14:10PM +0000, Nuno Sá wrote:
> On Fri, 2026-02-27 at 15:16 +0200, Antoniu Miclaus wrote:
> > When device_property_read_string() fails, str is left uninitialized
> > but the code falls through to strcmp(str, ...), dereferencing a garbage
> > pointer. Replace manual read/strcmp with device_property_match_string()
> > which handles the missing property case internally.

> > ---
> 
> Semantically it is a bit odd to use device_property_match_string() given it's for arrays.

Exactly.

> But it allows for some code simplification so why not?! And we can always see it as
> an array of 1 element :)

Shouldn't it be device_property_match_property_string()?

-- 
With Best Regards,
Andy Shevchenko

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.