On 8/27/20 10:49 AM, Zwane Mwaikambo wrote: > This v3 addresses patch formatting and submission issues with the > previous versions. That info goes after the "---" line. > con->partner_altmode[i] ends up with the value 0x2 in the call to > typec_altmode_update_active because the array has been accessed out of > bounds causing a random memory read. > > This patch fixes the first occurence and 2/2 the second. occurrence > > Signed-off-by: Zwane Mwaikambo <zwane@xxxxxxxxx> > --- > > diff --git a/drivers/usb/typec/ucsi/ucsi.c b/drivers/usb/typec/ucsi/ucsi.c > index d0c63afaf..79061705e 100644 > --- a/drivers/usb/typec/ucsi/ucsi.c > +++ b/drivers/usb/typec/ucsi/ucsi.c > @@ -218,9 +218,10 @@ void ucsi_altmode_update_active(struct ucsi_connector *con) > if (cur < UCSI_MAX_ALTMODES) > altmode = typec_altmode_get_partner(con->port_altmode[cur]); > > - for (i = 0; con->partner_altmode[i]; i++) > - typec_altmode_update_active(con->partner_altmode[i], > - con->partner_altmode[i] == altmode); > + for (i = 0; i < UCSI_MAX_ALTMODES; i++) > + if (con->partner_altmode[i]) > + typec_altmode_update_active(con->partner_altmode[i], > + con->partner_altmode[i] == altmode); What happened to the indentation here? Too much. > } > > static u8 ucsi_altmode_next_mode(struct typec_altmode **alt, u16 svid) > > -- ~Randy