Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues: - [High] This problem wasn't introduced by this patch, but an out-of-bounds array write occurs in `lm3533_device_init` when a child node contains multiple matching compatible strings. -- commit 5fa77e39c45bca237d41fbd7e2b8b8b97be664ec Author: Svyatoslav Ryhel <[email protected]> mfd: lm3533: Set DMA mask This commit sets the DMA mask to zero to prevent a warning in dmesg about the DMA mask not being set for the platform device. It applies to both the coherent and regular DMA mask, as neither the core nor the cells utilize DMA. > diff --git a/drivers/mfd/lm3533-core.c b/drivers/mfd/lm3533-core.c > index 500cec3ccebad..5d17da1d998b5 100644 > --- a/drivers/mfd/lm3533-core.c > +++ b/drivers/mfd/lm3533-core.c [ ... ] > @@ -489,6 +489,10 @@ static int lm3533_i2c_probe(struct i2c_client *i2c) > LM3533_BOOST_FREQ_MAX); > lm3533->boost_freq = lm3533->boost_freq / (500 * KILO) - 1; > > + /* LM3533 and child devices do not use DMA */ > + i2c->dev.coherent_dma_mask = 0; > + i2c->dev.dma_mask = &i2c->dev.coherent_dma_mask; > + > return lm3533_device_init(lm3533); > } [Severity: High] This is a pre-existing issue, but can the device initialization in lm3533_device_init() write past the bounds of the lm3533_devices array? The array is allocated based on the total number of child nodes: lm3533_devices = devm_kcalloc(dev, nchilds, sizeof(*lm3533_devices), GFP_KERNEL); However, inside the device_for_each_child_node_scoped() loop, the compatibility checks are independent if statements without an else if or continue: if (fwnode_device_is_compatible(child, "ti,lm3533-als")) { lm3533_devices[count].name = "lm3533-als"; ... count++; } if (fwnode_device_is_compatible(child, "ti,lm3533-backlight")) { ... count++; } If a single child node contains multiple matching compatible strings, such as "ti,lm3533-als" and "ti,lm3533-backlight", count will be incremented multiple times during a single loop iteration. Since the bounds check if (count >= nchilds) break; only happens at the start of the loop, this sequence would allow count to exceed nchilds, writing out of bounds on the lm3533_devices array. -- Sashiko AI review ยท https://sashiko.dev/#/patchset/[email protected]?part=10
