Bug 200487
| Summary: | drivers\bluetooth\hci_bcm.c unchecked return value of devm_clk_get() in function bcm_get_resources() | ||
|---|---|---|---|
| Product: | Drivers | Reporter: | Zuxing Gu (guzx14) |
| Component: | Bluetooth | Assignee: | linux-bluetooth (linux-bluetooth) |
| Status: | NEW --- | ||
| Severity: | normal | ||
| Priority: | P1 | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Kernel Version: | linux-4.18-rc4 | Subsystem: | |
| Regression: | No | Bisected commit-id: | |
Function devm_clk_get() returns an ERR_PTR when it fails. However, in function bcm_get_resources(), its return value is not checked, and will result in bad memory access. Even though the second parameter is NULL, we find that other usages of devm_clk_get(*, NULL) have been checked. linux-4.18-rc1\drivers\bluetooth\hci_bcm.c static int bcm_get_resources(struct bcm_device *dev) { const struct dmi_system_id *dmi_id; dev->name = dev_name(dev->dev); if (x86_apple_machine && !bcm_apple_get_resources(dev)) return 0; dev->clk = devm_clk_get(dev->dev, NULL); dev->device_wakeup = devm_gpiod_get_optional(dev->dev, "device-wakeup", GPIOD_OUT_LOW); if (IS_ERR(dev->device_wakeup)) return PTR_ERR(dev->device_wakeup) linux-4.18-rc1\drivers\bus\imx-weim.c: 188: clk = devm_clk_get(&pdev->dev, NULL); 189 if (IS_ERR(clk)) 190 return PTR_ERR(clk); ZG IMChecker Group, THU