From: sashiko-bot@kernel.org
To: "Svyatoslav Ryhel" <clamor95@gmail.com>
Cc: conor+dt@kernel.org, devicetree@vger.kernel.org, robh@kernel.org
Subject: Re: [PATCH v2 3/6] mfd: lm3533: Add support for VIN power supply
Date: Thu, 28 May 2026 14:56:08 +0000 [thread overview]
Message-ID: <20260528145608.D08FD1F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260528135123.103745-4-clamor95@gmail.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues:
- [High] The `lm3533_cells` array is allocated on the stack without initialization, leading to memory corruption and kernel panics.
--
commit d39c7ac544b69e1a515d2b34cf44f319c6f00c0a
Author: Svyatoslav Ryhel <clamor95@gmail.com>
mfd: lm3533: Add support for VIN power supply
This commit adds support for a 2.7V-5.5V vin power supply to the
lm3533 core driver. It acquires the regulator in the probe function
and toggles it during the enable and disable sequences.
> diff --git a/drivers/mfd/lm3533-core.c b/drivers/mfd/lm3533-core.c
> index 8495e91198711..519f8c16a3f35 100644
> --- a/drivers/mfd/lm3533-core.c
> +++ b/drivers/mfd/lm3533-core.c
[ ... ]
> @@ -324,7 +336,9 @@ static int lm3533_device_init(struct lm3533 *lm3533)
> u32 count = 0, reg;
> int ret;
>
> - lm3533_enable(lm3533);
> + ret = lm3533_enable(lm3533);
> + if (ret)
> + return ret;
>
> device_for_each_child_node_scoped(lm3533->dev, child) {
> if (!fwnode_device_is_available(child))
[Severity: High]
This isn't a bug introduced by this patch, but it was introduced earlier in
this patch series (in "mfd: lm3533: Convert to use OF bindings") and
remains unfixed.
Does this code pass uninitialized stack memory to the mfd core?
In lm3533_device_init(), the array is declared on the stack without zero
initialization:
struct mfd_cell lm3533_cells[LM3533_CELLS_MAX];
When processing the child nodes, only specific fields like name, id, and
of_compatible are assigned. All other fields in the mfd_cell structs,
such as pdata_size, resources, and num_resources, remain populated with
uninitialized stack garbage.
When this array is passed to mfd_add_devices(), the mfd core processes
these garbage values. If pdata_size contains a non-zero garbage value,
mfd_add_device() will call kmemdup() on the garbage platform_data
pointer, which could result in an immediate kernel panic.
Furthermore, if an available child node does not match any of the
supported compatible strings, count is still incremented:
device_for_each_child_node_scoped(lm3533->dev, child) {
...
if (fwnode_device_is_compatible(child, "ti,lm3533-als")) {
...
}
...
count++;
}
Could this cause a completely uninitialized cell (with a garbage name
pointer) to be processed? This could also lead to a crash during mfd
registration.
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260528135123.103745-1-clamor95@gmail.com?part=3
next prev parent reply other threads:[~2026-05-28 15:02 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-28 13:51 [PATCH v2 0/6] mfd: lm3533: convert to OF bindings, improve support Svyatoslav Ryhel
2026-05-28 13:51 ` [PATCH v2 1/6] dt-bindings: leds: Document TI LM3533 LED controller Svyatoslav Ryhel
2026-05-28 14:08 ` sashiko-bot
2026-05-28 14:54 ` Jonathan Cameron
2026-05-29 9:51 ` Daniel Thompson
2026-05-29 10:07 ` Svyatoslav Ryhel
2026-05-29 10:46 ` Daniel Thompson
2026-05-29 10:56 ` Svyatoslav Ryhel
2026-05-28 13:51 ` [PATCH v2 2/6] mfd: lm3533: Convert to use OF bindings Svyatoslav Ryhel
2026-05-28 14:37 ` sashiko-bot
2026-05-28 14:50 ` Jonathan Cameron
2026-05-28 15:03 ` Svyatoslav Ryhel
2026-05-29 9:08 ` Jonathan Cameron
2026-05-29 9:39 ` Svyatoslav Ryhel
2026-05-29 10:48 ` Jonathan Cameron
2026-05-29 11:02 ` Svyatoslav Ryhel
2026-05-29 13:10 ` Jonathan Cameron
2026-05-29 11:00 ` Daniel Thompson
2026-05-29 11:06 ` Svyatoslav Ryhel
2026-05-28 13:51 ` [PATCH v2 3/6] mfd: lm3533: Add support for VIN power supply Svyatoslav Ryhel
2026-05-28 14:56 ` sashiko-bot [this message]
2026-05-28 13:51 ` [PATCH v2 4/6] mfd: lm3533: Set DMA mask Svyatoslav Ryhel
2026-05-28 15:28 ` sashiko-bot
2026-05-28 13:51 ` [PATCH v2 5/6] video: backlight: lm3533_bl: Set initial mapping mode from DT Svyatoslav Ryhel
2026-05-28 16:00 ` sashiko-bot
2026-05-29 11:10 ` Daniel Thompson
2026-05-29 11:17 ` Svyatoslav Ryhel
2026-05-29 11:40 ` Daniel Thompson
2026-05-28 13:51 ` [PATCH v2 6/6] video: leds: backlight: lm3533: Support getting LED sources " Svyatoslav Ryhel
2026-05-28 16:33 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260528145608.D08FD1F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=clamor95@gmail.com \
--cc=conor+dt@kernel.org \
--cc=devicetree@vger.kernel.org \
--cc=robh@kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.