From mboxrd@z Thu Jan 1 00:00:00 1970 From: Anton Vorontsov Date: Thu, 12 Aug 2010 11:17:05 +0000 Subject: Re: [patch 2/2] mtd/m25p80: fix test for end of loop Message-Id: <20100812111705.GA9966@oksana.dev.rtsoft.ru> List-Id: References: <20100812075827.GO645@bicker> In-Reply-To: <20100812075827.GO645@bicker> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: Dan Carpenter Cc: Artem Bityutskiy , Mike Frysinger , kernel-janitors@vger.kernel.org, Gabor Juhos , linux-mtd@lists.infradead.org, David Woodhouse On Thu, Aug 12, 2010 at 09:58:27AM +0200, Dan Carpenter wrote: > "plat_id" is always non-NULL here. There is a zero element on the end > of the m25p_ids[] array and if we hit the end of the loop then plat_id > points to that. > > This would lead to a NULL pointer dereference later on in the function. > > Signed-off-by: Dan Carpenter Acked-by: Anton Vorontsov Thanks, > diff --git a/drivers/mtd/devices/m25p80.c b/drivers/mtd/devices/m25p80.c > index 83c9086..6f512b5 100644 > --- a/drivers/mtd/devices/m25p80.c > +++ b/drivers/mtd/devices/m25p80.c > @@ -793,7 +793,7 @@ static int __devinit m25p_probe(struct spi_device *spi) > break; > } > > - if (plat_id) > + if (i < ARRAY_SIZE(m25p_ids) - 1) > id = plat_id; > else > dev_warn(&spi->dev, "unrecognized id %s\n", data->type); -- Anton Vorontsov email: cbouatmailru@gmail.com irc://irc.freenode.net/bd2 From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-bw0-f49.google.com ([209.85.214.49]) by bombadil.infradead.org with esmtp (Exim 4.72 #1 (Red Hat Linux)) id 1OjVmZ-0005cY-4q for linux-mtd@lists.infradead.org; Thu, 12 Aug 2010 11:17:12 +0000 Received: by bwz14 with SMTP id 14so146741bwz.36 for ; Thu, 12 Aug 2010 04:17:08 -0700 (PDT) Date: Thu, 12 Aug 2010 15:17:05 +0400 From: Anton Vorontsov To: Dan Carpenter Subject: Re: [patch 2/2] mtd/m25p80: fix test for end of loop Message-ID: <20100812111705.GA9966@oksana.dev.rtsoft.ru> References: <20100812075827.GO645@bicker> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <20100812075827.GO645@bicker> Cc: Artem Bityutskiy , Mike Frysinger , kernel-janitors@vger.kernel.org, Gabor Juhos , linux-mtd@lists.infradead.org, David Woodhouse List-Id: Linux MTD discussion mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , On Thu, Aug 12, 2010 at 09:58:27AM +0200, Dan Carpenter wrote: > "plat_id" is always non-NULL here. There is a zero element on the end > of the m25p_ids[] array and if we hit the end of the loop then plat_id > points to that. > > This would lead to a NULL pointer dereference later on in the function. > > Signed-off-by: Dan Carpenter Acked-by: Anton Vorontsov Thanks, > diff --git a/drivers/mtd/devices/m25p80.c b/drivers/mtd/devices/m25p80.c > index 83c9086..6f512b5 100644 > --- a/drivers/mtd/devices/m25p80.c > +++ b/drivers/mtd/devices/m25p80.c > @@ -793,7 +793,7 @@ static int __devinit m25p_probe(struct spi_device *spi) > break; > } > > - if (plat_id) > + if (i < ARRAY_SIZE(m25p_ids) - 1) > id = plat_id; > else > dev_warn(&spi->dev, "unrecognized id %s\n", data->type); -- Anton Vorontsov email: cbouatmailru@gmail.com irc://irc.freenode.net/bd2