* [patch 2/2] mtd/m25p80: fix test for end of loop
@ 2010-08-12 7:58 ` Dan Carpenter
0 siblings, 0 replies; 4+ messages in thread
From: Dan Carpenter @ 2010-08-12 7:58 UTC (permalink / raw)
To: David Woodhouse
Cc: Artem Bityutskiy, Mike Frysinger, Anton Vorontsov,
kernel-janitors, Gabor Juhos, linux-mtd
"plat_id" is always non-NULL here. There is a zero element on the end
of the m25p_ids[] array and if we hit the end of the loop then plat_id
points to that.
This would lead to a NULL pointer dereference later on in the function.
Signed-off-by: Dan Carpenter <error27@gmail.com>
diff --git a/drivers/mtd/devices/m25p80.c b/drivers/mtd/devices/m25p80.c
index 83c9086..6f512b5 100644
--- a/drivers/mtd/devices/m25p80.c
+++ b/drivers/mtd/devices/m25p80.c
@@ -793,7 +793,7 @@ static int __devinit m25p_probe(struct spi_device *spi)
break;
}
- if (plat_id)
+ if (i < ARRAY_SIZE(m25p_ids) - 1)
id = plat_id;
else
dev_warn(&spi->dev, "unrecognized id %s\n", data->type);
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [patch 2/2] mtd/m25p80: fix test for end of loop
@ 2010-08-12 7:58 ` Dan Carpenter
0 siblings, 0 replies; 4+ messages in thread
From: Dan Carpenter @ 2010-08-12 7:58 UTC (permalink / raw)
To: David Woodhouse
Cc: Artem Bityutskiy, Mike Frysinger, Anton Vorontsov,
kernel-janitors, Gabor Juhos, linux-mtd
"plat_id" is always non-NULL here. There is a zero element on the end
of the m25p_ids[] array and if we hit the end of the loop then plat_id
points to that.
This would lead to a NULL pointer dereference later on in the function.
Signed-off-by: Dan Carpenter <error27@gmail.com>
diff --git a/drivers/mtd/devices/m25p80.c b/drivers/mtd/devices/m25p80.c
index 83c9086..6f512b5 100644
--- a/drivers/mtd/devices/m25p80.c
+++ b/drivers/mtd/devices/m25p80.c
@@ -793,7 +793,7 @@ static int __devinit m25p_probe(struct spi_device *spi)
break;
}
- if (plat_id)
+ if (i < ARRAY_SIZE(m25p_ids) - 1)
id = plat_id;
else
dev_warn(&spi->dev, "unrecognized id %s\n", data->type);
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [patch 2/2] mtd/m25p80: fix test for end of loop
2010-08-12 7:58 ` Dan Carpenter
@ 2010-08-12 11:17 ` Anton Vorontsov
-1 siblings, 0 replies; 4+ messages in thread
From: Anton Vorontsov @ 2010-08-12 11:17 UTC (permalink / raw)
To: Dan Carpenter
Cc: Artem Bityutskiy, Mike Frysinger, kernel-janitors, Gabor Juhos,
linux-mtd, David Woodhouse
On Thu, Aug 12, 2010 at 09:58:27AM +0200, Dan Carpenter wrote:
> "plat_id" is always non-NULL here. There is a zero element on the end
> of the m25p_ids[] array and if we hit the end of the loop then plat_id
> points to that.
>
> This would lead to a NULL pointer dereference later on in the function.
>
> Signed-off-by: Dan Carpenter <error27@gmail.com>
Acked-by: Anton Vorontsov <cbouatmailru@gmail.com>
Thanks,
> diff --git a/drivers/mtd/devices/m25p80.c b/drivers/mtd/devices/m25p80.c
> index 83c9086..6f512b5 100644
> --- a/drivers/mtd/devices/m25p80.c
> +++ b/drivers/mtd/devices/m25p80.c
> @@ -793,7 +793,7 @@ static int __devinit m25p_probe(struct spi_device *spi)
> break;
> }
>
> - if (plat_id)
> + if (i < ARRAY_SIZE(m25p_ids) - 1)
> id = plat_id;
> else
> dev_warn(&spi->dev, "unrecognized id %s\n", data->type);
--
Anton Vorontsov
email: cbouatmailru@gmail.com
irc://irc.freenode.net/bd2
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [patch 2/2] mtd/m25p80: fix test for end of loop
@ 2010-08-12 11:17 ` Anton Vorontsov
0 siblings, 0 replies; 4+ messages in thread
From: Anton Vorontsov @ 2010-08-12 11:17 UTC (permalink / raw)
To: Dan Carpenter
Cc: Artem Bityutskiy, Mike Frysinger, kernel-janitors, Gabor Juhos,
linux-mtd, David Woodhouse
On Thu, Aug 12, 2010 at 09:58:27AM +0200, Dan Carpenter wrote:
> "plat_id" is always non-NULL here. There is a zero element on the end
> of the m25p_ids[] array and if we hit the end of the loop then plat_id
> points to that.
>
> This would lead to a NULL pointer dereference later on in the function.
>
> Signed-off-by: Dan Carpenter <error27@gmail.com>
Acked-by: Anton Vorontsov <cbouatmailru@gmail.com>
Thanks,
> diff --git a/drivers/mtd/devices/m25p80.c b/drivers/mtd/devices/m25p80.c
> index 83c9086..6f512b5 100644
> --- a/drivers/mtd/devices/m25p80.c
> +++ b/drivers/mtd/devices/m25p80.c
> @@ -793,7 +793,7 @@ static int __devinit m25p_probe(struct spi_device *spi)
> break;
> }
>
> - if (plat_id)
> + if (i < ARRAY_SIZE(m25p_ids) - 1)
> id = plat_id;
> else
> dev_warn(&spi->dev, "unrecognized id %s\n", data->type);
--
Anton Vorontsov
email: cbouatmailru@gmail.com
irc://irc.freenode.net/bd2
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2010-08-12 11:17 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2010-08-12 7:58 [patch 2/2] mtd/m25p80: fix test for end of loop Dan Carpenter
2010-08-12 7:58 ` Dan Carpenter
2010-08-12 11:17 ` Anton Vorontsov
2010-08-12 11:17 ` Anton Vorontsov
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.