From: Christian Marangi <ansuelsmth@gmail.com>
To: Dan Carpenter <dan.carpenter@linaro.org>
Cc: oe-kbuild@lists.linux.dev, Pavel Machek <pavel@ucw.cz>,
Lee Jones <lee@kernel.org>, Rob Herring <robh@kernel.org>,
Krzysztof Kozlowski <krzk@kernel.org>,
Conor Dooley <conor+dt@kernel.org>,
Jacek Anaszewski <jacek.anaszewski@gmail.com>,
linux-leds@vger.kernel.org, devicetree@vger.kernel.org,
linux-kernel@vger.kernel.org, lkp@intel.com,
oe-kbuild-all@lists.linux.dev
Subject: Re: [PATCH v3 3/3] leds: leds-lp5569: Add support for Texas Instruments LP5569
Date: Wed, 29 May 2024 16:39:42 +0200 [thread overview]
Message-ID: <66573e2f.050a0220.4afa0.0925@mx.google.com> (raw)
In-Reply-To: <1f970609-42fa-4e6d-95d3-7ccdf52d3fee@moroto.mountain>
On Wed, May 29, 2024 at 05:32:16PM +0300, Dan Carpenter wrote:
> Hi Christian,
>
> kernel test robot noticed the following build warnings:
>
> https://git-scm.com/docs/git-format-patch#_base_tree_information]
>
> url: https://github.com/intel-lab-lkp/linux/commits/Christian-Marangi/dt-bindings-leds-lp55xx-Add-new-ti-lp5569-compatible/20240527-174959
> base: https://git.kernel.org/pub/scm/linux/kernel/git/lee/leds.git for-leds-next
> patch link: https://lore.kernel.org/r/20240527094737.13354-3-ansuelsmth%40gmail.com
> patch subject: [PATCH v3 3/3] leds: leds-lp5569: Add support for Texas Instruments LP5569
> config: sparc-randconfig-r071-20240528 (https://download.01.org/0day-ci/archive/20240528/202405280611.QUICzlRj-lkp@intel.com/config)
> compiler: sparc-linux-gcc (GCC) 13.2.0
>
> If you fix the issue in a separate patch/commit (i.e. not just a new version of
> the same patch/commit), kindly add following tags
> | Reported-by: kernel test robot <lkp@intel.com>
> | Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
> | Closes: https://lore.kernel.org/r/202405280611.QUICzlRj-lkp@intel.com/
>
> New smatch warnings:
> drivers/leds/leds-lp5569.c:378 lp5569_update_program_memory() error: buffer overflow 'pattern' 128 <= 223
>
> vim +/pattern +378 drivers/leds/leds-lp5569.c
>
> ed7ae4f43e228c Christian Marangi 2024-05-27 340 static int lp5569_update_program_memory(struct lp55xx_chip *chip,
> ed7ae4f43e228c Christian Marangi 2024-05-27 341 const u8 *data, size_t size)
> ed7ae4f43e228c Christian Marangi 2024-05-27 342 {
> ed7ae4f43e228c Christian Marangi 2024-05-27 343 enum lp55xx_engine_index idx = chip->engine_idx;
> ed7ae4f43e228c Christian Marangi 2024-05-27 344 u8 pattern[LP5569_PROGRAM_LENGTH] = {0};
> ed7ae4f43e228c Christian Marangi 2024-05-27 345 unsigned int cmd;
> ed7ae4f43e228c Christian Marangi 2024-05-27 346 char c[3];
> ed7ae4f43e228c Christian Marangi 2024-05-27 347 int nrchars;
> ed7ae4f43e228c Christian Marangi 2024-05-27 348 int ret;
> ed7ae4f43e228c Christian Marangi 2024-05-27 349 int offset = 0;
> ed7ae4f43e228c Christian Marangi 2024-05-27 350 int page, i = 0;
> ed7ae4f43e228c Christian Marangi 2024-05-27 351
> ed7ae4f43e228c Christian Marangi 2024-05-27 352 while ((offset < size - 1) && (i < LP5569_PROGRAM_LENGTH)) {
> ed7ae4f43e228c Christian Marangi 2024-05-27 353 /* separate sscanfs because length is working only for %s */
> ed7ae4f43e228c Christian Marangi 2024-05-27 354 ret = sscanf(data + offset, "%2s%n ", c, &nrchars);
> ed7ae4f43e228c Christian Marangi 2024-05-27 355 if (ret != 1)
> ed7ae4f43e228c Christian Marangi 2024-05-27 356 goto err;
> ed7ae4f43e228c Christian Marangi 2024-05-27 357
> ed7ae4f43e228c Christian Marangi 2024-05-27 358 ret = sscanf(c, "%2x", &cmd);
> ed7ae4f43e228c Christian Marangi 2024-05-27 359 if (ret != 1)
> ed7ae4f43e228c Christian Marangi 2024-05-27 360 goto err;
> ed7ae4f43e228c Christian Marangi 2024-05-27 361
> ed7ae4f43e228c Christian Marangi 2024-05-27 362 pattern[i] = (u8)cmd;
> ed7ae4f43e228c Christian Marangi 2024-05-27 363 offset += nrchars;
> ed7ae4f43e228c Christian Marangi 2024-05-27 364 i++;
> ed7ae4f43e228c Christian Marangi 2024-05-27 365 }
> ed7ae4f43e228c Christian Marangi 2024-05-27 366
> ed7ae4f43e228c Christian Marangi 2024-05-27 367 /* Each instruction is 16bit long. Check that length is even */
> ed7ae4f43e228c Christian Marangi 2024-05-27 368 if (i % 2)
> ed7ae4f43e228c Christian Marangi 2024-05-27 369 goto err;
> ed7ae4f43e228c Christian Marangi 2024-05-27 370
> ed7ae4f43e228c Christian Marangi 2024-05-27 371 for (page = 0; page < LP5569_PROGRAM_LENGTH / LP5569_BYTES_PER_PAGE; page++) {
> ed7ae4f43e228c Christian Marangi 2024-05-27 372 /* Write to the next page each 32 bytes */
> ed7ae4f43e228c Christian Marangi 2024-05-27 373 lp55xx_write(chip, LP5569_REG_PROG_PAGE_SEL,
> ed7ae4f43e228c Christian Marangi 2024-05-27 374 LP5569_PAGE_ENG(idx) + page);
> ed7ae4f43e228c Christian Marangi 2024-05-27 375
> ed7ae4f43e228c Christian Marangi 2024-05-27 376 for (i = 0; i < LP5569_PROGRAM_LENGTH; i++) {
> ed7ae4f43e228c Christian Marangi 2024-05-27 377 ret = lp55xx_write(chip, LP5569_REG_PROG_MEM + i,
> ed7ae4f43e228c Christian Marangi 2024-05-27 @378 pattern[i + (page * LP5569_BYTES_PER_PAGE)]);
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> i can co up to LP5569_PROGRAM_LENGTH and "page * LP5569_BYTES_PER_PAGE"
> can also go up to LP5569_PROGRAM_LENGTH. So we're 2x beyond the end of
> the array.
>
Yes the second loop max value should have been LP5569_BYTES_PER_PAGE,
totally a copy paste error on my side.
Thanks a lot for warning about this bug, will send new version with this
fixed.
> ed7ae4f43e228c Christian Marangi 2024-05-27 379 if (ret)
> ed7ae4f43e228c Christian Marangi 2024-05-27 380 return -EINVAL;
> ed7ae4f43e228c Christian Marangi 2024-05-27 381 }
> ed7ae4f43e228c Christian Marangi 2024-05-27 382 }
> ed7ae4f43e228c Christian Marangi 2024-05-27 383
> ed7ae4f43e228c Christian Marangi 2024-05-27 384
> ed7ae4f43e228c Christian Marangi 2024-05-27 385 return size;
> ed7ae4f43e228c Christian Marangi 2024-05-27 386
> ed7ae4f43e228c Christian Marangi 2024-05-27 387 err:
> ed7ae4f43e228c Christian Marangi 2024-05-27 388 dev_err(&chip->cl->dev, "wrong pattern format\n");
> ed7ae4f43e228c Christian Marangi 2024-05-27 389 return -EINVAL;
> ed7ae4f43e228c Christian Marangi 2024-05-27 390 }
>
> --
> 0-DAY CI Kernel Test Service
> https://github.com/intel/lkp-tests/wiki
>
--
Ansuel
prev parent reply other threads:[~2024-05-29 14:39 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-05-27 9:47 [PATCH v3 1/3] dt-bindings: leds-lp55xx: limit pwr-sel property to ti,lp8501 Christian Marangi
2024-05-27 9:47 ` [PATCH v3 2/3] dt-bindings: leds-lp55xx: Add new ti,lp5569 compatible Christian Marangi
2024-05-27 9:47 ` [PATCH v3 3/3] leds: leds-lp5569: Add support for Texas Instruments LP5569 Christian Marangi
2024-05-29 14:32 ` Dan Carpenter
2024-05-29 14:39 ` Christian Marangi [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=66573e2f.050a0220.4afa0.0925@mx.google.com \
--to=ansuelsmth@gmail.com \
--cc=conor+dt@kernel.org \
--cc=dan.carpenter@linaro.org \
--cc=devicetree@vger.kernel.org \
--cc=jacek.anaszewski@gmail.com \
--cc=krzk@kernel.org \
--cc=lee@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-leds@vger.kernel.org \
--cc=lkp@intel.com \
--cc=oe-kbuild-all@lists.linux.dev \
--cc=oe-kbuild@lists.linux.dev \
--cc=pavel@ucw.cz \
--cc=robh@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox