There is a check for validity of one of ids in mxs_saif_probe(), while array dereferece is made by the other id. The patch adds the check for the second saif id. Found by Linux Driver Verification project (linuxtesting.org). Signed-off-by: Alexey Khoroshilov <khoroshilov@xxxxxxxxx> --- sound/soc/mxs/mxs-saif.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/sound/soc/mxs/mxs-saif.c b/sound/soc/mxs/mxs-saif.c index 13631003cb7c..a002ab892772 100644 --- a/sound/soc/mxs/mxs-saif.c +++ b/sound/soc/mxs/mxs-saif.c @@ -735,6 +735,11 @@ static int mxs_saif_probe(struct platform_device *pdev) else saif->id = ret; + if (saif->id >= ARRAY_SIZE(mxs_saif)) { + dev_err(&pdev->dev, "get wrong saif id\n"); + return -EINVAL; + } + /* * If there is no "fsl,saif-master" phandle, it's a saif * master. Otherwise, it's a slave and its phandle points @@ -749,11 +754,11 @@ static int mxs_saif_probe(struct platform_device *pdev) return ret; else saif->master_id = ret; - } - if (saif->master_id >= ARRAY_SIZE(mxs_saif)) { - dev_err(&pdev->dev, "get wrong master id\n"); - return -EINVAL; + if (saif->master_id >= ARRAY_SIZE(mxs_saif)) { + dev_err(&pdev->dev, "get wrong master id\n"); + return -EINVAL; + } } mxs_saif[saif->id] = saif; -- 2.7.4 _______________________________________________ Alsa-devel mailing list Alsa-devel@xxxxxxxxxxxxxxxx http://mailman.alsa-project.org/mailman/listinfo/alsa-devel