Hi Fabio, Am Freitag, den 28.06.2013, 00:32 -0300 schrieb Fabio Estevam: > From: Fabio Estevam <fabio.este...@freescale.com> > > Later in ipu_dp_get() the index of the flow array is calculated by: > flow >> 1 > > So adjust its maximum to IPUV3_NUM_FLOWS << 1. > > Signed-off-by: Fabio Estevam <fabio.este...@freescale.com> > --- > drivers/staging/imx-drm/ipu-v3/ipu-dp.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/staging/imx-drm/ipu-v3/ipu-dp.c > b/drivers/staging/imx-drm/ipu-v3/ipu-dp.c > index 3bdff6af..ae2c199 100644 > --- a/drivers/staging/imx-drm/ipu-v3/ipu-dp.c > +++ b/drivers/staging/imx-drm/ipu-v3/ipu-dp.c > @@ -282,7 +282,7 @@ struct ipu_dp *ipu_dp_get(struct ipu_soc *ipu, unsigned > int flow) > struct ipu_dp_priv *priv = ipu->dp_priv; > struct ipu_dp *dp; > > - if (flow > 5) > + if (flow > IPUV3_NUM_FLOWS << 1)
If (flow == IPUV3_NUM_FLOWS << 1), this will continue and try to access &priv->flow[3] below, which is invalid. How about + if ((flow >> 1) >= IPUV3_NUM_FLOWS) instead? > return ERR_PTR(-EINVAL); > > if (flow & 1) regards Philipp -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
