Re: [PATCH v4 13/14] video: backlight: lm3533_bl: Implement backlight_scale property

sashiko-bot Fri, 05 Jun 2026 22:17:15 -0700

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) 
to consider:
- [High] Sysfs show functions `show_linear` and `show_als_en` incorrectly treat 
a set hardware bit as an error, leaking uninitialized kernel memory to 
userspace.
--


commit 5b473ee9a07b0b9fd223194515f44e1ffe1b934d
Author: Svyatoslav Ryhel <[email protected]>

video: backlight: lm3533_bl: Implement backlight_scale property

Since the device supports linear and non-linear modes, implement the
backlight_scale property to describe this state.

> diff --git a/drivers/video/backlight/lm3533_bl.c 
> b/drivers/video/backlight/lm3533_bl.c
> index 4f8cde9f290d0..2aa4b86042ff2 100644
> --- a/drivers/video/backlight/lm3533_bl.c
> +++ b/drivers/video/backlight/lm3533_bl.c
> @@ -142,6 +142,7 @@ static ssize_t store_linear(struct device *dev, struct 
> device_attribute *attr,
>  {
>       struct lm3533_bl *bl = dev_get_drvdata(dev);
>       int ctrlbank = lm3533_bl_get_ctrlbank_id(bl);
> +     struct backlight_device *bd = bl->bd;
>       unsigned long linear;
>       int ret;
>  
> @@ -153,6 +154,9 @@ static ssize_t store_linear(struct device *dev, struct 
> device_attribute *attr,
>       if (ret)
>               return ret;
>  
> +     bd->props.scale = linear ? BACKLIGHT_SCALE_LINEAR :
> +                                BACKLIGHT_SCALE_NON_LINEAR;
> +
>       return len;
>  }

[Severity: High]
This isn't a bug introduced by this patch, but looking at the adjacent
show_linear() and show_als_en() functions:

drivers/video/backlight/lm3533_bl.c:show_linear() {
    ...
        ret = regmap_test_bits(bl->regmap, LM3533_REG_CTRLBANK_AB_BCONF,
                               CTRLBANK_AB_BCONF_MODE(ctrlbank));
        if (ret)
                return ret;
    ...
}

If the hardware bit is set, regmap_test_bits() returns 1. Since the check is
if (ret), it immediately returns 1 to the sysfs core without calling
scnprintf() to populate the buffer.

Does this cause the sysfs core to interpret this as one byte successfully
written and copy the first byte of the unwritten buffer to userspace, leaking
potentially uninitialized kernel memory?

Should the check instead be `if (ret < 0)`?

-- 
Sashiko AI review · 
https://sashiko.dev/#/patchset/[email protected]?part=13

Re: [PATCH v4 13/14] video: backlight: lm3533_bl: Implement backlight_scale property

Reply via email to