Agh. I added the Signed-off-by in an earlier non-published version of the commit, but forgot to add it back. But that doesn't really excuses me.
I attached the (hopefully) final version of this patch. Pavel, I'll send the struct rename separately after I submit this.
Oct 5, 2020, 16:48 by post@xxxxxxxxxxx:
> Hei hei,
>
> On Mon, Oct 05, 2020 at 05:35:38PM +0200, ultracoolguy@xxxxxxxxxxxx wrote:
>
>> Well, the major benefit I see is that it makes the driver slightly
>> more readable. However I'm fine with whatever you guys decide.
>>
>> I'll attach the patch with the struct renaming removed just in case.
>>
>
> Note: your patch, especially the commit message, still needs a
> Signed-off-by line. Please read [1] (again?) and resend.
>
> Greets
> Alex
>
> [1] https://www.kernel.org/doc/html/latest/process/submitting-patches.html
>
>> Oct 5, 2020, 14:41 by dmurphy@xxxxxx:
>>
>> > Gabriel
>> >
>> > On 10/5/20 9:38 AM, ultracoolguy@xxxxxxxxxxxx wrote:
>> >
>> >> I understand. So I should leave it like it was and do the rename in another patch?
>> >>
>> >
>> > You should do the fix in one patch and leave the structure name alone.
>> >
>> > The structure naming if fine and has no benefit and actually will make it more difficult for others to backport future fixes.
>> >
>> > Unless Pavel finds benefit in accepting the structure rename.
>> >
>> > Dan
>> >
>>
>> >From ee004d26bb2f91491141aa06f5518cc411711ff0 Mon Sep 17 00:00:00 2001
>> From: Ultracoolguy <ultracoolguy@xxxxxxxxxxxx>
>> Date: Fri, 2 Oct 2020 18:27:00 -0400
>> Subject: [PATCH] leds:lm3697:Fix out-of-bound access
>>
>> If both led banks aren't used in device tree,
>> an out-of-bounds condition in lm3697_init occurs
>> because of the for loop assuming that all the banks are used.
>> Fix it by adding a variable that contains the number of used banks.
>> ---
>> drivers/leds/leds-lm3697.c | 18 ++++++++++--------
>> 1 file changed, 10 insertions(+), 8 deletions(-)
>>
>> diff --git a/drivers/leds/leds-lm3697.c b/drivers/leds/leds-lm3697.c
>> index 024983088d59..bd53450050b2 100644
>> --- a/drivers/leds/leds-lm3697.c
>> +++ b/drivers/leds/leds-lm3697.c
>> @@ -78,8 +78,9 @@ struct lm3697 {
>> struct mutex lock;
>>
>> int bank_cfg;
>> + int num_banks;
>>
>> - struct lm3697_led leds[];
>> + struct lm3697_led banks[];
>> };
>>
>> static const struct reg_default lm3697_reg_defs[] = {
>> @@ -180,8 +181,8 @@ static int lm3697_init(struct lm3697 *priv)
>> if (ret)
>> dev_err(&priv->client->dev, "Cannot write OUTPUT config\n");
>>
>> - for (i = 0; i < LM3697_MAX_CONTROL_BANKS; i++) {
>> - led = &priv->leds[i];
>> + for (i = 0; i < priv->num_banks; i++) {
>> + led = &priv->banks[i];
>> ret = ti_lmu_common_set_ramp(&led->lmu_data);
>> if (ret)
>> dev_err(&priv->client->dev, "Setting the ramp rate failed\n");
>> @@ -228,7 +229,7 @@ static int lm3697_probe_dt(struct lm3697 *priv)
>> goto child_out;
>> }
>>
>> - led = &priv->leds[i];
>> + led = &priv->banks[i];
>>
>> ret = ti_lmu_common_get_brt_res(&priv->client->dev,
>> child, &led->lmu_data);
>> @@ -307,16 +308,17 @@ static int lm3697_probe(struct i2c_client *client,
>> int ret;
>>
>> count = device_get_child_node_count(&client->dev);
>> - if (!count) {
>> - dev_err(&client->dev, "LEDs are not defined in device tree!");
>> - return -ENODEV;
>> + if (!count || count > LM3697_MAX_CONTROL_BANKS) {
>> + return -EINVAL;
>> }
>>
>> - led = devm_kzalloc(&client->dev, struct_size(led, leds, count),
>> + led = devm_kzalloc(&client->dev, struct_size(led, banks, count),
>> GFP_KERNEL);
>> if (!led)
>> return -ENOMEM;
>>
>> + led->num_banks = count;
>> +
>> mutex_init(&led->lock);
>> i2c_set_clientdata(client, led);
>>
>> --
>> 2.28.0
>>
>
>
> --
> /"\ ASCII RIBBON | »With the first link, the chain is forged. The first
> \ / CAMPAIGN | speech censured, the first thought forbidden, the
> X AGAINST | first freedom denied, chains us all irrevocably.«
> / \ HTML MAIL | (Jean-Luc Picard, quoting Judge Aaron Satie)
>
>From 146c98f0a0227fc3e11ffe6e66f0f7cf8aaebc69 Mon Sep 17 00:00:00 2001
From: Gabriel David <ultracoolguy@xxxxxxxxxxxx>
Date: Fri, 2 Oct 2020 18:27:00 -0400
Subject: [PATCH] leds:lm3697:Fix out-of-bound access
If both led banks aren't used in device tree,
an out-of-bounds condition in lm3697_init occurs
because of the for loop assuming that all the banks are used.
Fix it by adding a variable that contains the number of used banks.
Signed-off-by: Gabriel David <ultracoolguy@xxxxxxxxxxxx>
---
drivers/leds/leds-lm3697.c | 19 ++++++++++---------
1 file changed, 10 insertions(+), 9 deletions(-)
diff --git a/drivers/leds/leds-lm3697.c b/drivers/leds/leds-lm3697.c
index 024983088d59..a3c44b4c9072 100644
--- a/drivers/leds/leds-lm3697.c
+++ b/drivers/leds/leds-lm3697.c
@@ -78,8 +78,9 @@ struct lm3697 {
struct mutex lock;
int bank_cfg;
+ int num_banks;
- struct lm3697_led leds[];
+ struct lm3697_led banks[];
};
static const struct reg_default lm3697_reg_defs[] = {
@@ -180,8 +181,8 @@ static int lm3697_init(struct lm3697 *priv)
if (ret)
dev_err(&priv->client->dev, "Cannot write OUTPUT config\n");
- for (i = 0; i < LM3697_MAX_CONTROL_BANKS; i++) {
- led = &priv->leds[i];
+ for (i = 0; i < priv->num_banks; i++) {
+ led = &priv->banks[i];
ret = ti_lmu_common_set_ramp(&led->lmu_data);
if (ret)
dev_err(&priv->client->dev, "Setting the ramp rate failed\n");
@@ -228,7 +229,7 @@ static int lm3697_probe_dt(struct lm3697 *priv)
goto child_out;
}
- led = &priv->leds[i];
+ led = &priv->banks[i];
ret = ti_lmu_common_get_brt_res(&priv->client->dev,
child, &led->lmu_data);
@@ -307,16 +308,16 @@ static int lm3697_probe(struct i2c_client *client,
int ret;
count = device_get_child_node_count(&client->dev);
- if (!count) {
- dev_err(&client->dev, "LEDs are not defined in device tree!");
- return -ENODEV;
- }
+ if (!count || count > LM3697_MAX_CONTROL_BANKS)
+ return -EINVAL;
- led = devm_kzalloc(&client->dev, struct_size(led, leds, count),
+ led = devm_kzalloc(&client->dev, struct_size(led, banks, count),
GFP_KERNEL);
if (!led)
return -ENOMEM;
+ led->num_banks = count;
+
mutex_init(&led->lock);
i2c_set_clientdata(client, led);
--
2.28.0
