Function hmc5843_i2c_probe() defined in drivers/iio/magnetometer/hmc5843_i2c.c calls devm_regmap_init_i2c() which need a return value check. The returned value is dereferenced in 3 function call deeper. However, return value check is missed. Codes related to this bug are shown as follows. drivers/iio/magnetometer/hmc5843_i2c.c: 60 { 61 return hmc5843_common_probe(&cli->dev, 62: devm_regmap_init_i2c(cli, &hmc5843_i2c_regmap_config), 63 id->driver_data, id->name); 64 } --- drivers/iio/magnetometer/hmc5843_core.c: 618: int hmc5843_common_probe(struct device *dev, struct regmap *regmap, 619 enum hmc5843_ids id, const char *name) 620 { ... 634 data->regmap = regmap; ... 646 ret = hmc5843_init(data); --- drivers/iio/magnetometer/hmc5843_core.c: 569: static int hmc5843_init(struct hmc5843_data *data) 570 { 571 int ret; 572 u8 id[3]; 573 574 ret = regmap_bulk_read(data->regmap, HMC5843_ID_REG, 575 id, ARRAY_SIZE(id)); --- drivers/base/regmap/regmap.c: 2635: int regmap_bulk_read(struct regmap *map, unsigned int reg, void *val, 2636 size_t val_count) 2637 { 2638 int ret, i; 2639 size_t val_bytes = map->format.val_bytes; Thanks for attention! JW, ZG IMChecker Group, THU
We have sent the patch to the developers. Currently, we're formatting the patch according to the Linux development documentation.