lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <20240807-leds-pca995x-fix-fwnode-usage-v1-1-8057c84dc583@gmail.com>
Date: Wed, 07 Aug 2024 15:37:03 +0200
From: Javier Carrasco <javier.carrasco.cruz@...il.com>
To: Pavel Machek <pavel@....cz>, Lee Jones <lee@...nel.org>, 
 Isai Gaspar <isaiezequiel.gaspar@....com>, Marek Vasut <marex@...x.de>, 
 Jonathan Cameron <jic23@...nel.org>
Cc: linux-leds@...r.kernel.org, linux-kernel@...r.kernel.org, 
 Javier Carrasco <javier.carrasco.cruz@...il.com>
Subject: [PATCH] leds: pca995x: Fix device child node usage in
 pca995x_probe()

The current implementation accesses the `child` fwnode handle outside of
device_for_each_child_node() without incrementing its refcount.

Add the missing call to `fwnode_handle_get(child)`.

The cleanup process where `child` is accessed is not right either
because a single call to `fwnode_handle_put()` is carried out in case of
an error, ignoring unasigned nodes at the point when the error happens.

Keep `child` inside of the first loop, and use the helper pointer that
receives references via `fwnode_handle_get()` to handle the child nodes
within the second loop. Keeping `child` inside the first node has also
the advantage that the scoped version of the loop can be used.

Fixes: ee4e80b2962e ("leds: pca995x: Add support for PCA995X chips")
Signed-off-by: Javier Carrasco <javier.carrasco.cruz@...il.com>
---
This issue has been found while reviewing the recently applied commit
3ec05e5feacd ("leds: pca995x: Use device_for_each_child_node() to access
device child nodes"), which required some conflict resolution to be
applied.

This driver makes use of the variable `child` outside the
_for_each_child_node() loop as it that variable contained the right
address at the point where `fwnode_handle_put(child)` is called, which
is not a valid assumption. `child` is assigned to led_fwnodes[reg]
without incrementing its refcount, and the cleanup is off as well
because even if that was correct, a single child node would be
de-allocated.

A similar fix was provided in the series where forementioned commit
was included for leds-bd2606mvv.c [1].

Link: https://lore.kernel.org/all/20240721-device_for_each_child_node-available-v2-3-f33748fd8b2d@gmail.com/ [1]
---
 drivers/leds/leds-pca995x.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/drivers/leds/leds-pca995x.c b/drivers/leds/leds-pca995x.c
index 83bc9669544c..11c7bb69573e 100644
--- a/drivers/leds/leds-pca995x.c
+++ b/drivers/leds/leds-pca995x.c
@@ -120,12 +120,11 @@ static const struct regmap_config pca995x_regmap = {
 static int pca995x_probe(struct i2c_client *client)
 {
 	struct fwnode_handle *led_fwnodes[PCA995X_MAX_OUTPUTS] = { 0 };
-	struct fwnode_handle *child;
 	struct device *dev = &client->dev;
 	const struct pca995x_chipdef *chipdef;
 	struct pca995x_chip *chip;
 	struct pca995x_led *led;
-	int i, reg, ret;
+	int i, j, reg, ret;
 
 	chipdef = device_get_match_data(&client->dev);
 
@@ -143,7 +142,7 @@ static int pca995x_probe(struct i2c_client *client)
 
 	i2c_set_clientdata(client, chip);
 
-	device_for_each_child_node(dev, child) {
+	device_for_each_child_node_scoped(dev, child) {
 		ret = fwnode_property_read_u32(child, "reg", &reg);
 		if (ret)
 			return ret;
@@ -152,7 +151,7 @@ static int pca995x_probe(struct i2c_client *client)
 			return -EINVAL;
 
 		led = &chip->leds[reg];
-		led_fwnodes[reg] = child;
+		led_fwnodes[reg] = fwnode_handle_get(child);
 		led->chip = chip;
 		led->led_no = reg;
 		led->ldev.brightness_set_blocking = pca995x_brightness_set;
@@ -171,7 +170,8 @@ static int pca995x_probe(struct i2c_client *client)
 						     &chip->leds[i].ldev,
 						     &init_data);
 		if (ret < 0) {
-			fwnode_handle_put(child);
+			for (j = i; j < PCA995X_MAX_OUTPUTS; j++)
+				fwnode_handle_put(led_fwnodes[j]);
 			return dev_err_probe(dev, ret,
 					     "Could not register LED %s\n",
 					     chip->leds[i].ldev.name);

---
base-commit: 1e391b34f6aa043c7afa40a2103163a0ef06d179
change-id: 20240806-leds-pca995x-fix-fwnode-usage-f69d91e81b2c

Best regards,
-- 
Javier Carrasco <javier.carrasco.cruz@...il.com>


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ