If the ubidetach command is given a number that passes the range check in ubi_detach_mtd_dev, but at which index the ubi_devices array contains a NULL pointer, ubi_get_device tries to dereference this NULL pointer to increment the ubi device reference count. Signed-off-by: Philipp Zabel <p.zabel@xxxxxxxxxxxxxx> --- drivers/mtd/ubi/build.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/mtd/ubi/build.c b/drivers/mtd/ubi/build.c index da21f69..b908fcd 100644 --- a/drivers/mtd/ubi/build.c +++ b/drivers/mtd/ubi/build.c @@ -104,6 +104,8 @@ struct ubi_device *ubi_get_device(int ubi_num) struct ubi_device *ubi; ubi = ubi_devices[ubi_num]; + if (!ubi) + return NULL; ubi->ref_count++; -- 1.9.0 _______________________________________________ barebox mailing list barebox@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/barebox
