From nobody Sun May 24 22:35:56 2026 Received: from mail-wr1-f53.google.com (mail-wr1-f53.google.com [209.85.221.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 09D633FE652 for ; Wed, 20 May 2026 18:51:56 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.221.53 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779303119; cv=none; b=RBySTlr6EKrOfgIDWEjqvQdnZeS/3be8MoPmrsuV3UfsFsIHFQVUj7S85tyOarbMK8Bc3q/IJKIJ5m2aE0MSl+JrcBtMQHeHvCDlaj3NAvBLe6HuSrSXsipNIDbRAOZQ6502IlP1TF+MSS06vnYIcJc9SmCL8gYZnh3OKgAaPTs= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779303119; c=relaxed/simple; bh=H3E+RZJ0ZZQdGvIV9hZi2HA8RPpyijoz6EaLubDIzr4=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version; b=XA44sunqDF1CcL1tNiCZo3LnDdnYVpkAXbmanFji+Q4dDRqKWOO5ZsKxckThQG/yaV0JCJmFKt06XOWHwXQKCFpFulXhPdPkVCdLkhRh6b/lNE5qBFn+99dGSs6rzSX7s4G/o53uHCsH7Qmt9VEdC2rly+8qSrKyz9iq8bmgZG8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=Yvuyyfv0; arc=none smtp.client-ip=209.85.221.53 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="Yvuyyfv0" Received: by mail-wr1-f53.google.com with SMTP id ffacd0b85a97d-44b7e8b65faso344836f8f.1 for ; Wed, 20 May 2026 11:51:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1779303115; x=1779907915; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=kPQEZefd1Ef2xxJ5Qo6FIZLbI7JvvMhU7kzfA8EEsl8=; b=Yvuyyfv0Z/yjvFrTAb0o8G0pe35OOxVwv5rt1hlTR1QBDknx+I9eTQTWCyN8R9hxdi IN5Uz/LnuegGO2rsyOnhp3GLI52wxq4Ht6RanA2skwsB/unZoECcltT6tirFrTtruVnP WwgNF9PowrmIVy1UzQmikIz44iC6kXwxZ1g2O/p2vFGxT/iyNvzgVDhMK9F/ekXUfIeh GI7Sr7mI5JuvNqrasqX3L3RFpYdkq1J9l24Yb6W8V/1/loWLptycTqh0ZdV7n3zw1toZ fNnseZ5CbM8mfO5LZ+bGiWcsqcFQnXRzx5yc6U5st/xSmUYTwIcGpHcUBTbwiMiy3OFC r0HA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779303115; x=1779907915; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=kPQEZefd1Ef2xxJ5Qo6FIZLbI7JvvMhU7kzfA8EEsl8=; b=GKAyorL2OR1YPVKDnW2fu/p1as4YibhnHOWUd/V+AM5FoE1ScvRM3nb1lj3/lXu74B vL/kv++IU+XXNeWLPpscJfWgMqC11ObgY7pnpHMMsn0v4uhDmXfMWBCYRH2P7XhcW5tB FpqULRnkzogF0fdeDApjGCLk26lBabEk3JVWoxfg2PNElkREObssVlKXRFOCkwT1C0uW uGEyZKHi1BGfWWra8URu5IWsEGxMfJyDwuXGJthdX+9Efk2kBa5FzBtn4jPl+6mR1HZI kRmrqBviXMzgr9Za2fsFmpD7aYRilZnaKmKBlAh3m8Q+IdPFexgAL+zglMMx2O2RV47H NrLA== X-Forwarded-Encrypted: i=1; AFNElJ+nC+0aNuS+6Dspv8Xw9MfnnTUTa2YYksqysZ5b+tG3HG4GY1FYxVkDPJzNdNWXw5MyX+H08klDgt8Olb4=@vger.kernel.org X-Gm-Message-State: AOJu0Yz7958lMJeaUbdiwSDjmZMMabTREGmHnj2H34cDp4ylq0pQ1CII EreJODc2355r1aPNzgNd0E4T/Vxb06rpwEZTyBZzbQYuej4JUrniS1oS9bzKmgHi+yQ= X-Gm-Gg: Acq92OHk+NJ/8Mw/X7s+qsHNikwT494zSkM6STB6AbjyCGZY/LmxKK5bKFbjED/zKW9 mM5JsxSr3dfgRueqJEzjpSm2CHUPrEEdaZbwnb+JFNYBy2Vszj1yFLg45SgxGUqCFeeBdevSL3B 7bGiVLL+r/ANmxl1fNYDeqfsSYj1dh4N3iajHim5Bq3TyapjOJPkWIH5qUEPe5Oyqf7yVztGvNL HNkhAvpDtMDrp0IQ3o6HNaDbcZyIERRB5nK+1Num8qN8wjQskVT6P9CiFf8IxbyZqUJvGpXfjmv BSawEbro26KGRGHC/Zd+GFVPwL4aCTOzkxp+llufb/eP6ERaWCjJbKAgzLQ8+fmf1NlwmWc/5QY DVsUZgzzKYfX6oegoCYdwyFbVl0/zV10EVZv/yQW+5Cp2VGxZnFSnmxPnOTYVeNdvmxqYkHvjIg 6CZzOH1miL3acuK7fL0KewF1GQGXFR1qRyxbohKPHpSDcG X-Received: by 2002:a05:6000:24c3:b0:45e:8a84:bf68 with SMTP id ffacd0b85a97d-45e8a84bfa2mr6451715f8f.3.1779303114806; Wed, 20 May 2026 11:51:54 -0700 (PDT) Received: from localhost.localdomain ([82.215.118.79]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-45da0fe1a41sm60518272f8f.31.2026.05.20.11.51.53 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 20 May 2026 11:51:54 -0700 (PDT) From: Stepan Ionichev To: jic23@kernel.org Cc: dlechner@baylibre.com, nuno.sa@analog.com, andy@kernel.org, hcazarim@yahoo.com, linux-iio@vger.kernel.org, linux-kernel@vger.kernel.org, sozdayvek@gmail.com Subject: [PATCH] iio: potentiostat: lmp91000: fix NULL deref in probe by reordering setup Date: Wed, 20 May 2026 23:51:41 +0500 Message-Id: <20260520185142.34015-1-sozdayvek@gmail.com> X-Mailer: git-send-email 2.33.0.windows.2 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" lmp91000_probe() calls iio_trigger_set_immutable() with iio_channel_cb_get_iio_dev(data->cb_buffer) before data->cb_buffer is assigned. The struct is zero-initialised by devm_iio_device_alloc(), so cb_buffer is NULL on entry, and iio_channel_cb_get_iio_dev() does an unconditional cb_buffer->indio_dev which dereferences NULL. Reorder probe to acquire cb_buffer first (handling -EPROBE_DEFER) and only then set the immutable trigger, register the trigger, set up the triggered buffer, and register the iio device. Move the cb_buffer release to the end of the cleanup chain so a late failure properly unwinds in reverse order. Signed-off-by: Stepan Ionichev --- drivers/iio/potentiostat/lmp91000.c | 36 +++++++++++++---------------- 1 file changed, 16 insertions(+), 20 deletions(-) diff --git a/drivers/iio/potentiostat/lmp91000.c b/drivers/iio/potentiostat= /lmp91000.c index eccc2a343..7a938a023 100644 --- a/drivers/iio/potentiostat/lmp91000.c +++ b/drivers/iio/potentiostat/lmp91000.c @@ -330,17 +330,27 @@ static int lmp91000_probe(struct i2c_client *client) if (ret) return ret; =20 + data->cb_buffer =3D iio_channel_get_all_cb(dev, &lmp91000_buffer_cb, + indio_dev); + if (IS_ERR(data->cb_buffer)) { + if (PTR_ERR(data->cb_buffer) =3D=3D -ENODEV) + return -EPROBE_DEFER; + return PTR_ERR(data->cb_buffer); + } + + data->adc_chan =3D iio_channel_cb_get_channels(data->cb_buffer); + ret =3D iio_trigger_set_immutable(iio_channel_cb_get_iio_dev(data->cb_buf= fer), data->trig); if (ret) { dev_err(dev, "cannot set immutable trigger.\n"); - return ret; + goto error_release_cb; } =20 ret =3D iio_trigger_register(data->trig); if (ret) { dev_err(dev, "cannot register iio trigger.\n"); - return ret; + goto error_release_cb; } =20 ret =3D iio_triggered_buffer_setup(indio_dev, NULL, @@ -349,35 +359,21 @@ static int lmp91000_probe(struct i2c_client *client) if (ret) goto error_unreg_trigger; =20 - data->cb_buffer =3D iio_channel_get_all_cb(dev, &lmp91000_buffer_cb, - indio_dev); - - if (IS_ERR(data->cb_buffer)) { - if (PTR_ERR(data->cb_buffer) =3D=3D -ENODEV) - ret =3D -EPROBE_DEFER; - else - ret =3D PTR_ERR(data->cb_buffer); - - goto error_unreg_buffer; - } - - data->adc_chan =3D iio_channel_cb_get_channels(data->cb_buffer); - ret =3D iio_device_register(indio_dev); if (ret) - goto error_unreg_cb_buffer; + goto error_unreg_buffer; =20 return 0; =20 -error_unreg_cb_buffer: - iio_channel_release_all_cb(data->cb_buffer); - error_unreg_buffer: iio_triggered_buffer_cleanup(indio_dev); =20 error_unreg_trigger: iio_trigger_unregister(data->trig); =20 +error_release_cb: + iio_channel_release_all_cb(data->cb_buffer); + return ret; } =20 --=20 2.43.0