Linux LED subsystem development
 help / color / mirror / Atom feed
From: sashiko-bot@kernel.org
To: "Manuel Fombuena" <fombuena@outlook.com>
Cc: linux-leds@vger.kernel.org, lee@kernel.org
Subject: Re: [PATCH v6 8/9] leds: st1202: validate LED reg property against channel count
Date: Thu, 02 Jul 2026 18:02:08 +0000	[thread overview]
Message-ID: <20260702180208.CB7C41F00A3A@smtp.kernel.org> (raw)
In-Reply-To: <GV1PR08MB84977B1A5C6CF09FF643498BC5F52@GV1PR08MB8497.eurprd08.prod.outlook.com>

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:

Pre-existing issues:
- [High] The driver saves an unreferenced `fwnode` pointer from an OF iterator, leading to a potential use-after-free when registering the LED device.
--

commit c706b102612aa127883dfb65d961c6ac4e7aa123
Author: Manuel Fombuena <fombuena@outlook.com>

leds: st1202: validate LED reg property against channel count

This commit adds bounds checking for the reg property parsed from the device
tree. It ensures the value is within the ST1202_MAX_LEDS limit to prevent
out-of-bounds writes into the chip->leds array during probe.

> diff --git a/drivers/leds/leds-st1202.c b/drivers/leds/leds-st1202.c
> --- a/drivers/leds/leds-st1202.c
> +++ b/drivers/leds/leds-st1202.c
[ ... ]
> @@ -279,13 +279,19 @@ static int st1202_dt_init(struct st1202_chip *chip)
[ ... ]
>  		if (reg >= ST1202_MAX_LEDS)
>  			return dev_err_probe(dev, -EINVAL,
>  					"LED reg %u out of range [0, %d]\n",
>  					reg, ST1202_MAX_LEDS - 1);
>  
>  		led = &chip->leds[reg];
>  		led->is_active = true;
>  		led->fwnode = of_fwnode_handle(child);

[Severity: High]
This isn't a bug introduced by this patch, but does st1202_dt_init() save
an unreferenced fwnode pointer here?

The scoped iterator for_each_available_child_of_node_scoped() automatically
drops the reference to the child node when the loop advances or exits. Because
the driver does not explicitly acquire a reference via fwnode_handle_get() or
of_node_get(), the saved pointer becomes unreferenced.

If the device tree node is dynamically removed (for example, via DT overlay
removal) after the loop finishes, its memory will be freed. Later in
st1202_probe(), devm_led_classdev_register_ext() calls device_add(), which
dereferences dev->fwnode and attempts to increment its reference count,
resulting in a use-after-free.

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/GV1PR08MB84972A16ED557BFB96D63F57C5F52@GV1PR08MB8497.eurprd08.prod.outlook.com?part=8

  reply	other threads:[~2026-07-02 18:02 UTC|newest]

Thread overview: 21+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-02 17:33 [PATCH v6 0/9] leds: st1202: fix multiple bugs in pattern engine and brightness handling Manuel Fombuena
2026-07-02 17:36 ` [PATCH v6 1/9] leds: st1202: stop pattern sequence before reprogramming Manuel Fombuena
2026-07-02 17:55   ` sashiko-bot
2026-07-02 17:37 ` [PATCH v6 2/9] leds: st1202: validate pattern input before stopping the sequence Manuel Fombuena
2026-07-02 17:58   ` sashiko-bot
2026-07-02 17:37 ` [PATCH v6 3/9] leds: st1202: fix pattern duration prescaler and pattern_clear skip marker Manuel Fombuena
2026-07-02 17:55   ` sashiko-bot
2026-07-02 17:38 ` [PATCH v6 4/9] leds: st1202: set all pattern PWM slots to full after clearing pattern Manuel Fombuena
2026-07-02 17:55   ` sashiko-bot
2026-07-02 22:09     ` Manuel Fombuena
2026-07-02 17:39 ` [PATCH v6 5/9] leds: st1202: fix spurious pattern sequence start in setup Manuel Fombuena
2026-07-02 17:53   ` sashiko-bot
2026-07-02 17:41 ` [PATCH v6 6/9] leds: st1202: fix brightness having no effect while pattern mode is active Manuel Fombuena
2026-07-02 17:56   ` sashiko-bot
2026-07-02 21:58     ` Manuel Fombuena
2026-07-02 17:42 ` [PATCH v6 7/9] leds: st1202: disable channel when brightness is set to zero Manuel Fombuena
2026-07-02 17:58   ` sashiko-bot
2026-07-02 17:43 ` [PATCH v6 8/9] leds: st1202: validate LED reg property against channel count Manuel Fombuena
2026-07-02 18:02   ` sashiko-bot [this message]
2026-07-02 17:44 ` [PATCH v6 9/9] leds: st1202: correct and extend hw_pattern documentation Manuel Fombuena
2026-07-02 18:06   ` sashiko-bot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260702180208.CB7C41F00A3A@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=fombuena@outlook.com \
    --cc=lee@kernel.org \
    --cc=linux-leds@vger.kernel.org \
    --cc=sashiko-reviews@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox