| Message ID | 1487617077-21865-1-git-send-email-a.hajda@samsung.com (mailing list archive) |
|---|---|
| State | Mainlined |
| Delegated to: | Rafael Wysocki |
| Headers | show |
On 20-02-17, 19:57, Andrzej Hajda wrote: > Reading array at given index before checking if index is valid results in > illegal memory access. > > The bug was detected using KASAN framework. > > Signed-off-by: Andrzej Hajda <a.hajda@samsung.com> > --- > drivers/base/power/opp/core.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/drivers/base/power/opp/core.c b/drivers/base/power/opp/core.c > index 91ec323..dae6172 100644 > --- a/drivers/base/power/opp/core.c > +++ b/drivers/base/power/opp/core.c > @@ -231,7 +231,8 @@ unsigned long dev_pm_opp_get_max_volt_latency(struct device *dev) > * The caller needs to ensure that opp_table (and hence the regulator) > * isn't freed, while we are executing this routine. > */ > - for (i = 0; reg = regulators[i], i < count; i++) { > + for (i = 0; i < count; i++) { > + reg = regulators[i]; > ret = regulator_set_voltage_time(reg, uV[i].min, uV[i].max); > if (ret > 0) > latency_ns += ret * 1000; Acked-by: Viresh Kumar <viresh.kumar@linaro.org>
diff --git a/drivers/base/power/opp/core.c b/drivers/base/power/opp/core.c index 91ec323..dae6172 100644 --- a/drivers/base/power/opp/core.c +++ b/drivers/base/power/opp/core.c @@ -231,7 +231,8 @@ unsigned long dev_pm_opp_get_max_volt_latency(struct device *dev) * The caller needs to ensure that opp_table (and hence the regulator) * isn't freed, while we are executing this routine. */ - for (i = 0; reg = regulators[i], i < count; i++) { + for (i = 0; i < count; i++) { + reg = regulators[i]; ret = regulator_set_voltage_time(reg, uV[i].min, uV[i].max); if (ret > 0) latency_ns += ret * 1000;
Reading array at given index before checking if index is valid results in illegal memory access. The bug was detected using KASAN framework. Signed-off-by: Andrzej Hajda <a.hajda@samsung.com> --- drivers/base/power/opp/core.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)