[PATCH] leds: gpio: Set num_leds after allocation

[PATCH] leds: gpio: Set num_leds after allocation

[Kees Cook]

With the new __counted_by annotation, the "num_leds" variable needs to
valid for accesses to the "leds" array. This requirement is not met in
gpio_leds_create(), since "num_leds" starts at "0", so "leds" index "0"
will not be considered valid (num_leds would need to be "1" to access
index "0").

Fix this by setting the allocation size after allocation, and then update
the final count based on how many were actually added to the array.

Fixes: 52cd75108a42 ("leds: gpio: Annotate struct gpio_leds_priv with __counted_by")
Signed-off-by: Kees Cook <kees@kernel.org>
---
Cc: Lee Jones <lee@kernel.org>
Cc: Pavel Machek <pavel@ucw.cz>
Cc: linux-leds@vger.kernel.org
---
 drivers/leds/leds-gpio.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/drivers/leds/leds-gpio.c b/drivers/leds/leds-gpio.c
index 83fcd7b6afff..4d1612d557c8 100644
--- a/drivers/leds/leds-gpio.c
+++ b/drivers/leds/leds-gpio.c
@@ -150,7 +150,7 @@ static struct gpio_leds_priv *gpio_leds_create(struct device *dev)
 {
 	struct fwnode_handle *child;
 	struct gpio_leds_priv *priv;
-	int count, ret;
+	int count, used, ret;
 
 	count = device_get_child_node_count(dev);
 	if (!count)
@@ -159,9 +159,11 @@ static struct gpio_leds_priv *gpio_leds_create(struct device *dev)
 	priv = devm_kzalloc(dev, struct_size(priv, leds, count), GFP_KERNEL);
 	if (!priv)
 		return ERR_PTR(-ENOMEM);
+	priv->num_leds = count;
+	used = 0;
 
 	device_for_each_child_node(dev, child) {
-		struct gpio_led_data *led_dat = &priv->leds[priv->num_leds];
+		struct gpio_led_data *led_dat = &priv->leds[used];
 		struct gpio_led led = {};
 
 		/*
@@ -197,8 +199,9 @@ static struct gpio_leds_priv *gpio_leds_create(struct device *dev)
 		/* Set gpiod label to match the corresponding LED name. */
 		gpiod_set_consumer_name(led_dat->gpiod,
 					led_dat->cdev.dev->kobj.name);
-		priv->num_leds++;
+		used++;
 	}
+	priv->num_leds = used;
 
 	return priv;
 }
-- 
2.34.1

Re: [PATCH] leds: gpio: Set num_leds after allocation

[Gustavo A. R. Silva]

On 16/07/24 15:24, Kees Cook wrote:
> With the new __counted_by annotation, the "num_leds" variable needs to
> valid for accesses to the "leds" array. This requirement is not met in
> gpio_leds_create(), since "num_leds" starts at "0", so "leds" index "0"
> will not be considered valid (num_leds would need to be "1" to access
> index "0").
> 
> Fix this by setting the allocation size after allocation, and then update
> the final count based on how many were actually added to the array.
> 
> Fixes: 52cd75108a42 ("leds: gpio: Annotate struct gpio_leds_priv with __counted_by")
> Signed-off-by: Kees Cook <kees@kernel.org>

Reviewed-by: Gustavo A. R. Silva <gustavoars@kernel.org>

Thanks
-- 
Gustavo

> ---
> Cc: Lee Jones <lee@kernel.org>
> Cc: Pavel Machek <pavel@ucw.cz>
> Cc: linux-leds@vger.kernel.org
> ---
>   drivers/leds/leds-gpio.c | 9 ++++++---
>   1 file changed, 6 insertions(+), 3 deletions(-)
> 
> diff --git a/drivers/leds/leds-gpio.c b/drivers/leds/leds-gpio.c
> index 83fcd7b6afff..4d1612d557c8 100644
> --- a/drivers/leds/leds-gpio.c
> +++ b/drivers/leds/leds-gpio.c
> @@ -150,7 +150,7 @@ static struct gpio_leds_priv *gpio_leds_create(struct device *dev)
>   {
>   	struct fwnode_handle *child;
>   	struct gpio_leds_priv *priv;
> -	int count, ret;
> +	int count, used, ret;
>   
>   	count = device_get_child_node_count(dev);
>   	if (!count)
> @@ -159,9 +159,11 @@ static struct gpio_leds_priv *gpio_leds_create(struct device *dev)
>   	priv = devm_kzalloc(dev, struct_size(priv, leds, count), GFP_KERNEL);
>   	if (!priv)
>   		return ERR_PTR(-ENOMEM);
> +	priv->num_leds = count;
> +	used = 0;
>   
>   	device_for_each_child_node(dev, child) {
> -		struct gpio_led_data *led_dat = &priv->leds[priv->num_leds];
> +		struct gpio_led_data *led_dat = &priv->leds[used];
>   		struct gpio_led led = {};
>   
>   		/*
> @@ -197,8 +199,9 @@ static struct gpio_leds_priv *gpio_leds_create(struct device *dev)
>   		/* Set gpiod label to match the corresponding LED name. */
>   		gpiod_set_consumer_name(led_dat->gpiod,
>   					led_dat->cdev.dev->kobj.name);
> -		priv->num_leds++;
> +		used++;
>   	}
> +	priv->num_leds = used;
>   
>   	return priv;
>   }

Re: [PATCH] leds: gpio: Set num_leds after allocation

[Lee Jones]

On Tue, 16 Jul 2024, Gustavo A. R. Silva wrote:

> 
> 
> On 16/07/24 15:24, Kees Cook wrote:
> > With the new __counted_by annotation, the "num_leds" variable needs to
> > valid for accesses to the "leds" array. This requirement is not met in
> > gpio_leds_create(), since "num_leds" starts at "0", so "leds" index "0"
> > will not be considered valid (num_leds would need to be "1" to access
> > index "0").
> > 
> > Fix this by setting the allocation size after allocation, and then update
> > the final count based on how many were actually added to the array.
> > 
> > Fixes: 52cd75108a42 ("leds: gpio: Annotate struct gpio_leds_priv with __counted_by")
> > Signed-off-by: Kees Cook <kees@kernel.org>
> 
> Reviewed-by: Gustavo A. R. Silva <gustavoars@kernel.org>
> 
> Thanks
> -- 

Using the signature tag in the middle of an email turns the remainder of
the body into a signature block, which is odd to say the least.  By all
means sign-off in the middle of a mail, but please refrain from
converting the rest of the mail.

> Gustavo
> 
> > ---
> > Cc: Lee Jones <lee@kernel.org>
> > Cc: Pavel Machek <pavel@ucw.cz>
> > Cc: linux-leds@vger.kernel.org
> > ---
> >   drivers/leds/leds-gpio.c | 9 ++++++---
> >   1 file changed, 6 insertions(+), 3 deletions(-)
> > 
> > diff --git a/drivers/leds/leds-gpio.c b/drivers/leds/leds-gpio.c
> > index 83fcd7b6afff..4d1612d557c8 100644
> > --- a/drivers/leds/leds-gpio.c
> > +++ b/drivers/leds/leds-gpio.c
> > @@ -150,7 +150,7 @@ static struct gpio_leds_priv *gpio_leds_create(struct device *dev)
> >   {
> >   	struct fwnode_handle *child;
> >   	struct gpio_leds_priv *priv;
> > -	int count, ret;
> > +	int count, used, ret;
> >   	count = device_get_child_node_count(dev);
> >   	if (!count)
> > @@ -159,9 +159,11 @@ static struct gpio_leds_priv *gpio_leds_create(struct device *dev)
> >   	priv = devm_kzalloc(dev, struct_size(priv, leds, count), GFP_KERNEL);
> >   	if (!priv)
> >   		return ERR_PTR(-ENOMEM);
> > +	priv->num_leds = count;
> > +	used = 0;
> >   	device_for_each_child_node(dev, child) {
> > -		struct gpio_led_data *led_dat = &priv->leds[priv->num_leds];
> > +		struct gpio_led_data *led_dat = &priv->leds[used];
> >   		struct gpio_led led = {};
> >   		/*
> > @@ -197,8 +199,9 @@ static struct gpio_leds_priv *gpio_leds_create(struct device *dev)
> >   		/* Set gpiod label to match the corresponding LED name. */
> >   		gpiod_set_consumer_name(led_dat->gpiod,
> >   					led_dat->cdev.dev->kobj.name);
> > -		priv->num_leds++;
> > +		used++;
> >   	}
> > +	priv->num_leds = used;
> >   	return priv;
> >   }

-- 
Lee Jones [李琼斯]

Re: [PATCH] leds: gpio: Set num_leds after allocation

[Kees Cook]

On Thu, Jul 25, 2024 at 11:22:40AM +0100, Lee Jones wrote:
> On Tue, 16 Jul 2024, Gustavo A. R. Silva wrote:
> 
> > 
> > 
> > On 16/07/24 15:24, Kees Cook wrote:
> > > With the new __counted_by annotation, the "num_leds" variable needs to
> > > valid for accesses to the "leds" array. This requirement is not met in
> > > gpio_leds_create(), since "num_leds" starts at "0", so "leds" index "0"
> > > will not be considered valid (num_leds would need to be "1" to access
> > > index "0").
> > > 
> > > Fix this by setting the allocation size after allocation, and then update
> > > the final count based on how many were actually added to the array.
> > > 
> > > Fixes: 52cd75108a42 ("leds: gpio: Annotate struct gpio_leds_priv with __counted_by")
> > > Signed-off-by: Kees Cook <kees@kernel.org>
> > 
> > Reviewed-by: Gustavo A. R. Silva <gustavoars@kernel.org>
> > 
> > Thanks
> > -- 
> 
> Using the signature tag in the middle of an email turns the remainder of
> the body into a signature block, which is odd to say the least.  By all
> means sign-off in the middle of a mail, but please refrain from
> converting the rest of the mail.

Ping. Shall I take this via the hardening tree?

-Kees

-- 
Kees Cook

Re: [PATCH] leds: gpio: Set num_leds after allocation

[Lee Jones]

On Thu, 22 Aug 2024, Kees Cook wrote:

> On Thu, Jul 25, 2024 at 11:22:40AM +0100, Lee Jones wrote:
> > On Tue, 16 Jul 2024, Gustavo A. R. Silva wrote:
> > 
> > > 
> > > 
> > > On 16/07/24 15:24, Kees Cook wrote:
> > > > With the new __counted_by annotation, the "num_leds" variable needs to
> > > > valid for accesses to the "leds" array. This requirement is not met in
> > > > gpio_leds_create(), since "num_leds" starts at "0", so "leds" index "0"
> > > > will not be considered valid (num_leds would need to be "1" to access
> > > > index "0").
> > > > 
> > > > Fix this by setting the allocation size after allocation, and then update
> > > > the final count based on how many were actually added to the array.
> > > > 
> > > > Fixes: 52cd75108a42 ("leds: gpio: Annotate struct gpio_leds_priv with __counted_by")
> > > > Signed-off-by: Kees Cook <kees@kernel.org>
> > > 
> > > Reviewed-by: Gustavo A. R. Silva <gustavoars@kernel.org>
> > > 
> > > Thanks
> > > -- 
> > 
> > Using the signature tag in the middle of an email turns the remainder of
> > the body into a signature block, which is odd to say the least.  By all
> > means sign-off in the middle of a mail, but please refrain from
> > converting the rest of the mail.
> 
> Ping. Shall I take this via the hardening tree?

Certainly not. :)

Apologies, looks like I relied to Gustavo then marked the submission as
reviewed.  Applied to the LED tree now, thanks.

-- 
Lee Jones [李琼斯]

Re: (subset) [PATCH] leds: gpio: Set num_leds after allocation

[Lee Jones]

On Tue, 16 Jul 2024 14:24:59 -0700, Kees Cook wrote:
> With the new __counted_by annotation, the "num_leds" variable needs to
> valid for accesses to the "leds" array. This requirement is not met in
> gpio_leds_create(), since "num_leds" starts at "0", so "leds" index "0"
> will not be considered valid (num_leds would need to be "1" to access
> index "0").
> 
> Fix this by setting the allocation size after allocation, and then update
> the final count based on how many were actually added to the array.
> 
> [...]

Applied, thanks!

[1/1] leds: gpio: Set num_leds after allocation
      commit: 045391a02bd971d431c83ad03f7cc51b6e2fe331

--
Lee Jones [李琼斯]