On Thu, Jul 03, 2025 at 12:31:50PM +0100, Andrew Goodbody wrote: > The for loop in se_desc uses i as the loop index and also to cause the > loop to end if the passed in name is not found. However i is not > incremented which could cause the loop to continue indefinitely and > access out of bounds memory. > Add an increment of i to ensure that the loop terminates correctly in > the case where name is not found. > > This issue found by Smatch. > > Signed-off-by: Andrew Goodbody <[email protected]> > --- > drivers/power/regulator/pfuze100.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-)
I size tested this as part of merging and saw unexpected shrinkage. In turn, this got me to look harder at the code and I think the best answer is to refactor things so that se_desc(...) follow the normal (linux kernel) pattern of for (i = 0; i < ARRAY_SIZE(desc); i++) instead of being passed size. That's I think the root of this confusion too. I'll post a patch shortly. -- Tom
signature.asc
Description: PGP signature
