On Tue, Mar 13, 2018 at 05:55:35PM +0100, Pierre-Yves MORDRET wrote: > The bitfield dma_inuse is allocated of size dma_requests bits, thus a > valid bit address is from 0 to (dma_requests - 1). > When find_first_zero_bit() fails, it returns dma_requests as invalid > address. > Using such address for the following set_bit() is incorrect and, if > dma_requests is a multiple of BITS_PER_LONG, it will cause a buffer > overflow. > Currently this driver is only used in DT stm32h743.dtsi where a safe value > dma_requests=16 is not triggering the buffer overflow. > > Fixed by checking the return value of find_first_zero_bit() _before_ > using it. Applied, thanks -- ~Vinod -- To unsubscribe from this list: send the line "unsubscribe dmaengine" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html