On 2020-02-24 17:18, Pierre-Louis Bossart wrote:
On 2/24/20 6:52 AM, Amadeusz Sławiński wrote:
Incrementation of avail_clk_cnt was incorrectly moved to error path. Put
it back to success path.
diff --git a/sound/soc/intel/skylake/skl-ssp-clk.c
b/sound/soc/intel/skylake/skl-ssp-clk.c
index 1c0e5226cb5b..bd43885f3805 100644
--- a/sound/soc/intel/skylake/skl-ssp-clk.c
+++ b/sound/soc/intel/skylake/skl-ssp-clk.c
@@ -384,9 +384,11 @@ static int skl_clk_dev_probe(struct
platform_device *pdev)
&clks[i], clk_pdata, i);
if (IS_ERR(data->clk[data->avail_clk_cnt])) {
- ret = PTR_ERR(data->clk[data->avail_clk_cnt++]);
+ ret = PTR_ERR(data->clk[data->avail_clk_cnt]);
Are you sure?
If you start with avail_clk_cnt set to zero, the error handling will
decrement and access offset -1
static void unregister_src_clk(struct skl_clk_data *dclk)
{
while (dclk->avail_clk_cnt--)
clkdev_drop(dclk->clk[dclk->avail_clk_cnt]->lookup); <<< oob
access with offset -1
}
Decrementation will occur after while's check evaluation - loop will
exit, decrementation happens regardless.
