regulator: fan53555: Check pdata->slew_rate setting

Current code does not really avoid array access out of bounds, fix it by add checking for pdata->slew_rate. If pdata->slew_rate is too big, it's a bug in pdata that needs fix. Signed-off-by: Axel Lin <axel.lin@ingics.com> Signed-off-by: Mark Brown <broonie@kernel.org>
author: Axel Lin <axel.lin@ingics.com> 2019-02-24 06:21:46 +0300
committer: Mark Brown <broonie@kernel.org> 2019-02-26 14:48:49 +0300
commit: 87919e0cf166454caf202fcddeea42c8eba700ea (patch)
tree: 223f9ee7f9d88426fecc21f429607320d468a4f7
parent: 5db2efbe115e53153aba2e02a87c62f2e78e3102 (diff)
download: linux-87919e0cf166454caf202fcddeea42c8eba700ea.tar.xz
1 files changed, 5 insertions, 3 deletions
diff --git a/drivers/regulator/fan53555.c b/drivers/regulator/fan53555.c
index d7142352f6bc..771a06d1900d 100644
--- a/drivers/regulator/fan53555.c
+++ b/drivers/regulator/fan53555.c
@@ -490,11 +490,13 @@ static int fan53555_regulator_probe(struct i2c_client *client,
 	} else {
 		/* if no ramp constraint set, get the pdata ramp_delay */
 		if (!di->regulator->constraints.ramp_delay) {
-			int slew_idx = (pdata->slew_rate & 0x7)
-						? pdata->slew_rate : 0;
+			if (pdata->slew_rate >= ARRAY_SIZE(slew_rates)) {
+				dev_err(&client->dev, "Invalid slew_rate\n");
+				return -EINVAL;
+			}
 
 			di->regulator->constraints.ramp_delay
-						= slew_rates[slew_idx];
+					= slew_rates[pdata->slew_rate];
 		}
 
 		di->vendor = id->driver_data;
author	Axel Lin <axel.lin@ingics.com>	2019-02-24 06:21:46 +0300
committer	Mark Brown <broonie@kernel.org>	2019-02-26 14:48:49 +0300
commit	87919e0cf166454caf202fcddeea42c8eba700ea (patch)
tree	223f9ee7f9d88426fecc21f429607320d468a4f7
parent	5db2efbe115e53153aba2e02a87c62f2e78e3102 (diff)
download	linux-87919e0cf166454caf202fcddeea42c8eba700ea.tar.xz