On Wed, May 29, 2024 at 05:32:16PM +0300, Dan Carpenter wrote: > Hi Christian, > > kernel test robot noticed the following build warnings: > > https://git-scm.com/docs/git-format-patch#_base_tree_information] > > url: https://github.com/intel-lab-lkp/linux/commits/Christian-Marangi/dt-bindings-leds-lp55xx-Add-new-ti-lp5569-compatible/20240527-174959 > base: https://git.kernel.org/pub/scm/linux/kernel/git/lee/leds.git for-leds-next > patch link: https://lore.kernel.org/r/20240527094737.13354-3-ansuelsmth%40gmail.com > patch subject: [PATCH v3 3/3] leds: leds-lp5569: Add support for Texas Instruments LP5569 > config: sparc-randconfig-r071-20240528 (https://download.01.org/0day-ci/archive/20240528/202405280611.QUICzlRj-lkp@xxxxxxxxx/config) > compiler: sparc-linux-gcc (GCC) 13.2.0 > > If you fix the issue in a separate patch/commit (i.e. not just a new version of > the same patch/commit), kindly add following tags > | Reported-by: kernel test robot <lkp@xxxxxxxxx> > | Reported-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx> > | Closes: https://lore.kernel.org/r/202405280611.QUICzlRj-lkp@xxxxxxxxx/ > > New smatch warnings: > drivers/leds/leds-lp5569.c:378 lp5569_update_program_memory() error: buffer overflow 'pattern' 128 <= 223 > > vim +/pattern +378 drivers/leds/leds-lp5569.c > > ed7ae4f43e228c Christian Marangi 2024-05-27 340 static int lp5569_update_program_memory(struct lp55xx_chip *chip, > ed7ae4f43e228c Christian Marangi 2024-05-27 341 const u8 *data, size_t size) > ed7ae4f43e228c Christian Marangi 2024-05-27 342 { > ed7ae4f43e228c Christian Marangi 2024-05-27 343 enum lp55xx_engine_index idx = chip->engine_idx; > ed7ae4f43e228c Christian Marangi 2024-05-27 344 u8 pattern[LP5569_PROGRAM_LENGTH] = {0}; > ed7ae4f43e228c Christian Marangi 2024-05-27 345 unsigned int cmd; > ed7ae4f43e228c Christian Marangi 2024-05-27 346 char c[3]; > ed7ae4f43e228c Christian Marangi 2024-05-27 347 int nrchars; > ed7ae4f43e228c Christian Marangi 2024-05-27 348 int ret; > ed7ae4f43e228c Christian Marangi 2024-05-27 349 int offset = 0; > ed7ae4f43e228c Christian Marangi 2024-05-27 350 int page, i = 0; > ed7ae4f43e228c Christian Marangi 2024-05-27 351 > ed7ae4f43e228c Christian Marangi 2024-05-27 352 while ((offset < size - 1) && (i < LP5569_PROGRAM_LENGTH)) { > ed7ae4f43e228c Christian Marangi 2024-05-27 353 /* separate sscanfs because length is working only for %s */ > ed7ae4f43e228c Christian Marangi 2024-05-27 354 ret = sscanf(data + offset, "%2s%n ", c, &nrchars); > ed7ae4f43e228c Christian Marangi 2024-05-27 355 if (ret != 1) > ed7ae4f43e228c Christian Marangi 2024-05-27 356 goto err; > ed7ae4f43e228c Christian Marangi 2024-05-27 357 > ed7ae4f43e228c Christian Marangi 2024-05-27 358 ret = sscanf(c, "%2x", &cmd); > ed7ae4f43e228c Christian Marangi 2024-05-27 359 if (ret != 1) > ed7ae4f43e228c Christian Marangi 2024-05-27 360 goto err; > ed7ae4f43e228c Christian Marangi 2024-05-27 361 > ed7ae4f43e228c Christian Marangi 2024-05-27 362 pattern[i] = (u8)cmd; > ed7ae4f43e228c Christian Marangi 2024-05-27 363 offset += nrchars; > ed7ae4f43e228c Christian Marangi 2024-05-27 364 i++; > ed7ae4f43e228c Christian Marangi 2024-05-27 365 } > ed7ae4f43e228c Christian Marangi 2024-05-27 366 > ed7ae4f43e228c Christian Marangi 2024-05-27 367 /* Each instruction is 16bit long. Check that length is even */ > ed7ae4f43e228c Christian Marangi 2024-05-27 368 if (i % 2) > ed7ae4f43e228c Christian Marangi 2024-05-27 369 goto err; > ed7ae4f43e228c Christian Marangi 2024-05-27 370 > ed7ae4f43e228c Christian Marangi 2024-05-27 371 for (page = 0; page < LP5569_PROGRAM_LENGTH / LP5569_BYTES_PER_PAGE; page++) { > ed7ae4f43e228c Christian Marangi 2024-05-27 372 /* Write to the next page each 32 bytes */ > ed7ae4f43e228c Christian Marangi 2024-05-27 373 lp55xx_write(chip, LP5569_REG_PROG_PAGE_SEL, > ed7ae4f43e228c Christian Marangi 2024-05-27 374 LP5569_PAGE_ENG(idx) + page); > ed7ae4f43e228c Christian Marangi 2024-05-27 375 > ed7ae4f43e228c Christian Marangi 2024-05-27 376 for (i = 0; i < LP5569_PROGRAM_LENGTH; i++) { > ed7ae4f43e228c Christian Marangi 2024-05-27 377 ret = lp55xx_write(chip, LP5569_REG_PROG_MEM + i, > ed7ae4f43e228c Christian Marangi 2024-05-27 @378 pattern[i + (page * LP5569_BYTES_PER_PAGE)]); > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > i can co up to LP5569_PROGRAM_LENGTH and "page * LP5569_BYTES_PER_PAGE" > can also go up to LP5569_PROGRAM_LENGTH. So we're 2x beyond the end of > the array. > Yes the second loop max value should have been LP5569_BYTES_PER_PAGE, totally a copy paste error on my side. Thanks a lot for warning about this bug, will send new version with this fixed. > ed7ae4f43e228c Christian Marangi 2024-05-27 379 if (ret) > ed7ae4f43e228c Christian Marangi 2024-05-27 380 return -EINVAL; > ed7ae4f43e228c Christian Marangi 2024-05-27 381 } > ed7ae4f43e228c Christian Marangi 2024-05-27 382 } > ed7ae4f43e228c Christian Marangi 2024-05-27 383 > ed7ae4f43e228c Christian Marangi 2024-05-27 384 > ed7ae4f43e228c Christian Marangi 2024-05-27 385 return size; > ed7ae4f43e228c Christian Marangi 2024-05-27 386 > ed7ae4f43e228c Christian Marangi 2024-05-27 387 err: > ed7ae4f43e228c Christian Marangi 2024-05-27 388 dev_err(&chip->cl->dev, "wrong pattern format\n"); > ed7ae4f43e228c Christian Marangi 2024-05-27 389 return -EINVAL; > ed7ae4f43e228c Christian Marangi 2024-05-27 390 } > > -- > 0-DAY CI Kernel Test Service > https://github.com/intel/lkp-tests/wiki > -- Ansuel
