The echo field in dln2_transfer_complete comes directly from an USB transfer and we should not trust it is valid.
Reported-by: Dan Carpenter <[email protected]> Signed-off-by: Octavian Purdila <[email protected]> --- drivers/mfd/dln2.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/mfd/dln2.c b/drivers/mfd/dln2.c index cf22841..df2fda9 100644 --- a/drivers/mfd/dln2.c +++ b/drivers/mfd/dln2.c @@ -195,6 +195,9 @@ static bool dln2_transfer_complete(struct dln2_dev *dln2, struct urb *urb, struct dln2_rx_context *rxc; bool valid_slot = false; + if (rx_slot >= DLN2_MAX_RX_SLOTS) + goto out; + rxc = &rxs->slots[rx_slot]; /* @@ -210,6 +213,7 @@ static bool dln2_transfer_complete(struct dln2_dev *dln2, struct urb *urb, } spin_unlock(&rxs->lock); +out: if (!valid_slot) dev_warn(dev, "bad/late response %d/%d\n", handle, rx_slot); -- 1.9.1 -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [email protected] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
