On 13/09/2025 16:51, Tom Rini wrote:
On Sun, Aug 31, 2025 at 09:35:13AM -0600, Tom Rini wrote:
On Thu, Jul 03, 2025 at 12:31:50PM +0100, Andrew Goodbody wrote:
The for loop in se_desc uses i as the loop index and also to cause the
loop to end if the passed in name is not found. However i is not
incremented which could cause the loop to continue indefinitely and
access out of bounds memory.
Add an increment of i to ensure that the loop terminates correctly in
the case where name is not found.
This issue found by Smatch.
Signed-off-by: Andrew Goodbody <andrew.goodb...@linaro.org>
---
drivers/power/regulator/pfuze100.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
I size tested this as part of merging and saw unexpected shrinkage. In
turn, this got me to look harder at the code and I think the best answer
is to refactor things so that se_desc(...) follow the normal (linux
kernel) pattern of for (i = 0; i < ARRAY_SIZE(desc); i++) instead of
being passed size. That's I think the root of this confusion too. I'll
post a patch shortly.
While I really wanted to make this suggested change, I'm just missing
something as to how it should work, and perhaps the better answer is to
rework the caller a bit to handle the check inline? I'm not sure...
Sorry Tom, I am just not sure if this is an action item on me or are you
still looking at it? I do not know the code well but could take a look
at it if needed.
Thanks,
Andrew
