From 8cc311167c22f9365304b2b20225df2d881c8843 Mon Sep 17 00:00:00 2001 From: Andrzej Hajda Date: Mon, 20 Feb 2017 19:57:57 +0100 Subject: [PATCH] PM / OPP: fix off-by-one bug in dev_pm_opp_get_max_volt_latency loop Reading array at given index before checking if index is valid results in illegal memory access. The bug was detected using KASAN framework. Signed-off-by: Andrzej Hajda Acked-by: Viresh Kumar Signed-off-by: Rafael J. Wysocki --- drivers/base/power/opp/core.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/base/power/opp/core.c b/drivers/base/power/opp/core.c index 91ec3232d630..dae61720b314 100644 --- a/drivers/base/power/opp/core.c +++ b/drivers/base/power/opp/core.c @@ -231,7 +231,8 @@ unsigned long dev_pm_opp_get_max_volt_latency(struct device *dev) * The caller needs to ensure that opp_table (and hence the regulator) * isn't freed, while we are executing this routine. */ - for (i = 0; reg = regulators[i], i < count; i++) { + for (i = 0; i < count; i++) { + reg = regulators[i]; ret = regulator_set_voltage_time(reg, uV[i].min, uV[i].max); if (ret > 0) latency_ns += ret * 1000; -- 2.30.2