From: sashiko-bot@kernel.org
To: "Manuel Fombuena" <fombuena@outlook.com>
Cc: lee@kernel.org, linux-leds@vger.kernel.org
Subject: Re: [PATCH v6 5/9] leds: st1202: fix spurious pattern sequence start in setup
Date: Thu, 02 Jul 2026 17:53:31 +0000 [thread overview]
Message-ID: <20260702175331.8C9081F000E9@smtp.kernel.org> (raw)
In-Reply-To: <GV1PR08MB8497ECDF070E9D82D0D2E983C5F52@GV1PR08MB8497.eurprd08.prod.outlook.com>
Thank you for your contribution! Sashiko AI review found 3 potential issue(s) to consider:
Pre-existing issues:
- [High] The non-blocking `brightness_set` callback is assigned to a sleeping function, and `brightness_set_blocking` improperly discards brightness values.
- [High] Per-LED pattern callbacks inappropriately modify global chip sequencer registers, corrupting state for other channels.
- [High] Device tree node `fwnode` pointer is saved without incrementing its reference count, resulting in a dangling pointer.
--
commit 0028567786c848c91c978540c9eaefe27ea93565
Author: Manuel Fombuena <fombuena@outlook.com>
leds: st1202: fix spurious pattern sequence start in setup
This patch removes a final write to the configuration register in
st1202_setup(). The removal prevents the hardware pattern sequencer from
starting prematurely during device probe before any patterns have been
programmed.
> diff --git a/drivers/leds/leds-st1202.c b/drivers/leds/leds-st1202.c
> index 3203b3768ec52..b8a5712829009 100644
> --- a/drivers/leds/leds-st1202.c
> +++ b/drivers/leds/leds-st1202.c
> @@ -333,11 +333,6 @@ static int st1202_setup(struct st1202_chip *chip)
> if (ret < 0)
> return ret;
>
> - ret = st1202_write_reg(chip, ST1202_CONFIG_REG,
> - ST1202_CONFIG_REG_PATS | ST1202_CONFIG_REG_PATSR);
> - if (ret < 0)
> - return ret;
> -
> return 0;
> }
[Severity: High]
This isn't a bug introduced by this patch, but does st1202_dt_init() create a
dangling fwnode pointer?
When retrieving the child nodes via for_each_available_child_of_node_scoped(),
the node reference is dropped automatically at the end of the loop:
st1202_dt_init() {
...
for_each_available_child_of_node_scoped(dev_of_node(dev), child) {
...
led->fwnode = of_fwnode_handle(child);
}
...
}
Because fwnode_handle_get() is not used before assigning to led->fwnode, this
pointer becomes dangling after the loop ends and is later dereferenced in
st1202_probe() when calling devm_led_classdev_register_ext().
Can this lead to a use-after-free, especially if dynamic device trees or
overlays are used?
[Severity: High]
This is a pre-existing issue, but are the blocking and non-blocking brightness
callbacks swapped in st1202_dt_init()?
st1202_dt_init() {
...
led->led_cdev.brightness_set_blocking = st1202_led_set;
...
led->led_cdev.brightness_set = st1202_brightness_set;
...
}
The non-blocking brightness_set callback is assigned to
st1202_brightness_set(), which takes a mutex and performs I2C transactions
that can sleep:
st1202_brightness_set() {
...
guard(mutex)(&chip->lock);
st1202_write_reg(chip, ST1202_ILED_REG0 + led->led_num, value);
}
Could this cause a scheduling while atomic bug if triggered from an atomic
context like a software timer?
At the same time, the blocking callback is assigned to st1202_led_set(),
which completely discards intermediate brightness values and only toggles
the channel on or off:
st1202_led_set() {
...
return st1202_channel_set(led->chip, led->led_num, !!value);
}
[Severity: High]
This isn't a bug introduced by this patch, but do the per-LED pattern
callbacks corrupt global sequencer registers for other LEDs?
In st1202_led_pattern_clear(), the function unconditionally zeroes out the
global pattern duration registers:
st1202_led_pattern_clear() {
...
for (int patt = 0; patt < ST1202_MAX_PATTERNS; patt++) {
...
ret = st1202_write_reg(chip, ST1202_PATTERN_DUR + patt, 0);
}
...
}
Similarly, st1202_led_pattern_set() resets the global sequence enable bits
for the whole chip:
st1202_led_pattern_set() {
...
ret = st1202_write_reg(chip, ST1202_CONFIG_REG, (ST1202_CONFIG_REG_PATSR |
ST1202_CONFIG_REG_PATS | ST1202_CONFIG_REG_SHFT));
...
}
Since these registers are shared across all channels on the chip, will clearing
or setting a pattern on one LED arbitrarily destroy the pattern state of
another LED running simultaneously?
--
Sashiko AI review · https://sashiko.dev/#/patchset/GV1PR08MB84972A16ED557BFB96D63F57C5F52@GV1PR08MB8497.eurprd08.prod.outlook.com?part=5
next prev parent reply other threads:[~2026-07-02 17:53 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-02 17:33 [PATCH v6 0/9] leds: st1202: fix multiple bugs in pattern engine and brightness handling Manuel Fombuena
2026-07-02 17:36 ` [PATCH v6 1/9] leds: st1202: stop pattern sequence before reprogramming Manuel Fombuena
2026-07-02 17:55 ` sashiko-bot
2026-07-02 17:37 ` [PATCH v6 2/9] leds: st1202: validate pattern input before stopping the sequence Manuel Fombuena
2026-07-02 17:58 ` sashiko-bot
2026-07-02 17:37 ` [PATCH v6 3/9] leds: st1202: fix pattern duration prescaler and pattern_clear skip marker Manuel Fombuena
2026-07-02 17:55 ` sashiko-bot
2026-07-02 17:38 ` [PATCH v6 4/9] leds: st1202: set all pattern PWM slots to full after clearing pattern Manuel Fombuena
2026-07-02 17:55 ` sashiko-bot
2026-07-02 22:09 ` Manuel Fombuena
2026-07-02 17:39 ` [PATCH v6 5/9] leds: st1202: fix spurious pattern sequence start in setup Manuel Fombuena
2026-07-02 17:53 ` sashiko-bot [this message]
2026-07-02 17:41 ` [PATCH v6 6/9] leds: st1202: fix brightness having no effect while pattern mode is active Manuel Fombuena
2026-07-02 17:56 ` sashiko-bot
2026-07-02 21:58 ` Manuel Fombuena
2026-07-02 17:42 ` [PATCH v6 7/9] leds: st1202: disable channel when brightness is set to zero Manuel Fombuena
2026-07-02 17:58 ` sashiko-bot
2026-07-02 17:43 ` [PATCH v6 8/9] leds: st1202: validate LED reg property against channel count Manuel Fombuena
2026-07-02 18:02 ` sashiko-bot
2026-07-02 17:44 ` [PATCH v6 9/9] leds: st1202: correct and extend hw_pattern documentation Manuel Fombuena
2026-07-02 18:06 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260702175331.8C9081F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=fombuena@outlook.com \
--cc=lee@kernel.org \
--cc=linux-leds@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox