drivers/i2c/busses/i2c-cp2615.c | 3 +++ 1 file changed, 3 insertions(+)
The cp2615 driver uses the USB device serial string as the i2c adapter
name but does not make sure that the string exists.
Verify that the device has a serial number before accessing it to avoid
triggering a NULL-pointer dereference (e.g. with malicious devices).
Fixes: 4a7695429ead ("i2c: cp2615: add i2c driver for Silicon Labs' CP2615 Digital Audio Bridge")
Cc: stable@vger.kernel.org # 5.13
Cc: Bence Csókás <bence98@sch.bme.hu>
Signed-off-by: Johan Hovold <johan@kernel.org>
---
drivers/i2c/busses/i2c-cp2615.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/i2c/busses/i2c-cp2615.c b/drivers/i2c/busses/i2c-cp2615.c
index c1dbf7961a02..951de6249834 100644
--- a/drivers/i2c/busses/i2c-cp2615.c
+++ b/drivers/i2c/busses/i2c-cp2615.c
@@ -297,6 +297,9 @@ cp2615_i2c_probe(struct usb_interface *usbif, const struct usb_device_id *id)
if (!adap)
return -ENOMEM;
+ if (!usbdev->serial)
+ return -EINVAL;
+
strscpy(adap->name, usbdev->serial, sizeof(adap->name));
adap->owner = THIS_MODULE;
adap->dev.parent = &usbif->dev;
--
2.52.0
Hi Johan,
On Mon, Mar 09, 2026 at 08:50:16AM +0100, Johan Hovold wrote:
> The cp2615 driver uses the USB device serial string as the i2c adapter
> name but does not make sure that the string exists.
>
> Verify that the device has a serial number before accessing it to avoid
> triggering a NULL-pointer dereference (e.g. with malicious devices).
>
> Fixes: 4a7695429ead ("i2c: cp2615: add i2c driver for Silicon Labs' CP2615 Digital Audio Bridge")
> Cc: stable@vger.kernel.org # 5.13
> Cc: Bence Csókás <bence98@sch.bme.hu>
> Signed-off-by: Johan Hovold <johan@kernel.org>
merged to i2c/i2c-host-fixes.
Thanks,
Andi
Reviewed-by: Bence Csókás <bence98@sch.bme.hu>
On 3/9/26 08:50, Johan Hovold wrote:
> The cp2615 driver uses the USB device serial string as the i2c adapter
> name but does not make sure that the string exists.
>
> Verify that the device has a serial number before accessing it to avoid
> triggering a NULL-pointer dereference (e.g. with malicious devices).
>
> Fixes: 4a7695429ead ("i2c: cp2615: add i2c driver for Silicon Labs' CP2615 Digital Audio Bridge")
> Cc: stable@vger.kernel.org # 5.13
> Cc: Bence Csókás <bence98@sch.bme.hu>
> Signed-off-by: Johan Hovold <johan@kernel.org>
> ---
> drivers/i2c/busses/i2c-cp2615.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/drivers/i2c/busses/i2c-cp2615.c b/drivers/i2c/busses/i2c-cp2615.c
> index c1dbf7961a02..951de6249834 100644
> --- a/drivers/i2c/busses/i2c-cp2615.c
> +++ b/drivers/i2c/busses/i2c-cp2615.c
> @@ -297,6 +297,9 @@ cp2615_i2c_probe(struct usb_interface *usbif, const struct usb_device_id *id)
> if (!adap)
> return -ENOMEM;
>
> + if (!usbdev->serial)
> + return -EINVAL;
> +
> strscpy(adap->name, usbdev->serial, sizeof(adap->name));
> adap->owner = THIS_MODULE;
> adap->dev.parent = &usbif->dev;
I didn't realize at the time I wrote this that `serial` can be NULL, I
was under the impression that the USB core would pass me an empty string
if there's no iSerial string descriptor (alas, it does not).
AFAIK real CP2615s will always have a serial, so returning error should
not be a major problem. However, we could just as easily skip
`strscpy()` and go on with the probe with an empty name. But I'm fine
with either solution.
Bence
On Wed, Mar 11, 2026 at 10:40:19PM +0100, Bence Csókás wrote: > Reviewed-by: Bence Csókás <bence98@sch.bme.hu> > > On 3/9/26 08:50, Johan Hovold wrote: > > The cp2615 driver uses the USB device serial string as the i2c adapter > > name but does not make sure that the string exists. > > > > Verify that the device has a serial number before accessing it to avoid > > triggering a NULL-pointer dereference (e.g. with malicious devices). > > @@ -297,6 +297,9 @@ cp2615_i2c_probe(struct usb_interface *usbif, const struct usb_device_id *id) > > if (!adap) > > return -ENOMEM; > > > > + if (!usbdev->serial) > > + return -EINVAL; > > + > > strscpy(adap->name, usbdev->serial, sizeof(adap->name)); > > adap->owner = THIS_MODULE; > > adap->dev.parent = &usbif->dev; > AFAIK real CP2615s will always have a serial, so returning error should > not be a major problem. That's my reasoning as well. In the unlikely event that there'll ever be valid firmware without a serial string we can amend the driver. Johan
© 2016 - 2026 Red Hat, Inc.