[PATCH] s390/3215: fix the array may be out of bounds

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH] s390/3215: fix the array may be out of bounds
@ 2021-12-10  7:02 Yin Xiujiang
  2021-12-10 16:05 ` Heiko Carstens
  0 siblings, 1 reply; 2+ messages in thread
From: Yin Xiujiang @ 2021-12-10  7:02 UTC (permalink / raw)
  To: hca, gor, borntraeger, agordeev; +Cc: linux-s390, linux-kernel

if the variable 'line' is NR_3215,
the 'raw3215[line]' will be invalid

Signed-off-by: Yin Xiujiang <yinxiujiang@kylinos.cn>
---
 drivers/s390/char/con3215.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/s390/char/con3215.c b/drivers/s390/char/con3215.c
index f356607835d8..29409d4ca4d5 100644
--- a/drivers/s390/char/con3215.c
+++ b/drivers/s390/char/con3215.c
@@ -687,7 +687,8 @@ static void raw3215_remove (struct ccw_device *cdev)
 		for (line = 0; line < NR_3215; line++)
 			if (raw3215[line] == raw)
 				break;
-		raw3215[line] = NULL;
+		if (line < NR_3215)
+			raw3215[line] = NULL;
 		spin_unlock(&raw3215_device_lock);
 		dev_set_drvdata(&cdev->dev, NULL);
 		raw3215_free_info(raw);
-- 
2.30.0


^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH] s390/3215: fix the array may be out of bounds
  2021-12-10  7:02 [PATCH] s390/3215: fix the array may be out of bounds Yin Xiujiang
@ 2021-12-10 16:05 ` Heiko Carstens
  0 siblings, 0 replies; 2+ messages in thread
From: Heiko Carstens @ 2021-12-10 16:05 UTC (permalink / raw)
  To: Yin Xiujiang; +Cc: gor, borntraeger, agordeev, linux-s390, linux-kernel

On Fri, Dec 10, 2021 at 03:02:17PM +0800, Yin Xiujiang wrote:
> if the variable 'line' is NR_3215,
> the 'raw3215[line]' will be invalid
> 
> Signed-off-by: Yin Xiujiang <yinxiujiang@kylinos.cn>
> ---
>  drivers/s390/char/con3215.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/s390/char/con3215.c b/drivers/s390/char/con3215.c
> index f356607835d8..29409d4ca4d5 100644
> --- a/drivers/s390/char/con3215.c
> +++ b/drivers/s390/char/con3215.c
> @@ -687,7 +687,8 @@ static void raw3215_remove (struct ccw_device *cdev)
>  		for (line = 0; line < NR_3215; line++)
>  			if (raw3215[line] == raw)
>  				break;
> -		raw3215[line] = NULL;
> +		if (line < NR_3215)
> +			raw3215[line] = NULL;

This doesn't make sense to me. This could only happen if a device that
was never probed would be removed. The original code could have been
written better to make that more obvious, but with this patch the code
will become even more confusing.

Therefore not applying.

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2021-12-10 16:05 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-12-10  7:02 [PATCH] s390/3215: fix the array may be out of bounds Yin Xiujiang
2021-12-10 16:05 ` Heiko Carstens

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox