If imgu_node_map[i].css_queue is not equal to css_queue
then "i" after the loop could be equal to IMGU_NODE_NUM
that is more than the border value (IMGU_NODE_NUM - 1).
So imgu_map_node() call may return IMGU_NODE_NUM that is more
than expected value.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: 7fc7af649ca7 ("media: staging/intel-ipu3: Add imgu top level pci device driver")
Signed-off-by: Aleksandr Burakov <a.burakov@xxxxxxxxxxxx>
---
drivers/staging/media/ipu3/ipu3.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/staging/media/ipu3/ipu3.c b/drivers/staging/media/ipu3/ipu3.c
index 0c453b37f8c4..cb09eb3cc227 100644
--- a/drivers/staging/media/ipu3/ipu3.c
+++ b/drivers/staging/media/ipu3/ipu3.c
@@ -60,8 +60,10 @@ unsigned int imgu_map_node(struct imgu_device *imgu, unsigned int css_queue)
for (i = 0; i < IMGU_NODE_NUM; i++)
if (imgu_node_map[i].css_queue == css_queue)
break;
-
- return i;
+ if (i < IMGU_NODE_NUM)
+ return i;
+ else
+ return (IMGU_NODE_NUM - 1);
}
/**************** Dummy buffers ****************/
--
2.25.1
