On Sun, Aug 31, 2025 at 09:35:13AM -0600, Tom Rini wrote: > On Thu, Jul 03, 2025 at 12:31:50PM +0100, Andrew Goodbody wrote: > > > The for loop in se_desc uses i as the loop index and also to cause the > > loop to end if the passed in name is not found. However i is not > > incremented which could cause the loop to continue indefinitely and > > access out of bounds memory. > > Add an increment of i to ensure that the loop terminates correctly in > > the case where name is not found. > > > > This issue found by Smatch. > > > > Signed-off-by: Andrew Goodbody <[email protected]> > > --- > > drivers/power/regulator/pfuze100.c | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > I size tested this as part of merging and saw unexpected shrinkage. In > turn, this got me to look harder at the code and I think the best answer > is to refactor things so that se_desc(...) follow the normal (linux > kernel) pattern of for (i = 0; i < ARRAY_SIZE(desc); i++) instead of > being passed size. That's I think the root of this confusion too. I'll > post a patch shortly.
While I really wanted to make this suggested change, I'm just missing something as to how it should work, and perhaps the better answer is to rework the caller a bit to handle the check inline? I'm not sure... -- Tom
signature.asc
Description: PGP signature
