On 09/01/2019 06:57, Pi-Hsun Shih wrote:
The mtk_thermal struct contains a 'struct mtk_thermal_bank banks[];', but the allocation only allocates sizeof(struct mtk_thermal) bytes, which cause out of bound access with the ->banks[] member. Change it to a fixed size array instead.
Signed-off-by: Pi-Hsun Shih pihsun@chromium.org
For the next time, please don't forget to provide a fixes tag so that it can get into stable trees automatically.
For the records, it fixes commit (v4.9): b7cf0053738c ("thermal: Add Mediatek thermal driver for mt2701.")
drivers/thermal/mtk_thermal.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/drivers/thermal/mtk_thermal.c b/drivers/thermal/mtk_thermal.c index 0691f260f6eabe..ea11edb3fcced6 100644 --- a/drivers/thermal/mtk_thermal.c +++ b/drivers/thermal/mtk_thermal.c @@ -159,6 +159,9 @@ #define MT7622_NUM_SENSORS_PER_ZONE 1 #define MT7622_TS1 0 +/* The maximum number of banks */ +#define MAX_NUM_ZONES 8
struct mtk_thermal; struct thermal_bank_cfg { @@ -178,7 +181,7 @@ struct mtk_thermal_data { const int *sensor_mux_values; const int *msr; const int *adcpnp;
- struct thermal_bank_cfg bank_data[];
- struct thermal_bank_cfg bank_data[MAX_NUM_ZONES];
}; struct mtk_thermal { @@ -197,7 +200,7 @@ struct mtk_thermal { s32 vts[MT8173_NUM_SENSORS]; const struct mtk_thermal_data *conf;
- struct mtk_thermal_bank banks[];
- struct mtk_thermal_bank banks[MAX_NUM_ZONES];
}; /* MT8173 thermal sensor data */
linux-stable-mirror@lists.linaro.org
-
Matthias Brugger