[PATCH] sparc/led: prevent buffer underflow on zero-length write

Next message: Adam Li: "Re: [External] : Re: [REGRESSION][v6.17-rc1]sched/fair: Bump sd-&gt;max_newidle_lb_cost when newidle balance fails"
Previous message: Xiangxu Yin: "Re: [PATCH v6 3/4] arm64: dts: qcom: Add DisplayPort and QMP USB3DP PHY for SM6150"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Miaoqian Lin

Date: Thu Oct 30 2025 - 03:22:12 EST

Fix out-of-bounds access in led_proc_write() when count is 0.
Accessing buf[count - 1] with count=0 reads/writes buf[-1].

Check for count==0 and return -EINVAL early to fix this.

Found via static analysis and code review.

Fixes: ee1858d3122d ("[SPARC]: Add sun4m LED driver.")
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Miaoqian Lin <linmq006@xxxxxxxxx>
---
arch/sparc/kernel/led.c | 3 +++
1 file changed, 3 insertions(+)

diff --git a/arch/sparc/kernel/led.c b/arch/sparc/kernel/led.c
index f4fb82b019bb..aa0ca0d8d0e2 100644
--- a/arch/sparc/kernel/led.c
+++ b/arch/sparc/kernel/led.c
@@ -70,6 +70,9 @@ static ssize_t led_proc_write(struct file *file, const char __user *buffer,
{
char *buf = NULL;

+ if (count == 0)
+ return -EINVAL;
+
if (count > LED_MAX_LENGTH)
count = LED_MAX_LENGTH;

--
2.39.5 (Apple Git-154)