From: H Hartley Sweeten Date: Wed, 28 Jan 2015 16:58:56 +0000 (-0700) Subject: staging: comedi: addi_apci_1500: fix array access out of bounds error X-Git-Url: https://git.karo-electronics.de/?a=commitdiff_plain;h=76925260a8edba2b62b1639d651b0f3072e7c01b;p=linux-beck.git staging: comedi: addi_apci_1500: fix array access out of bounds error The private data 'pm', 'pt', and 'pp' array members hold the trigger mode parameters for ports A and B. Both ports are 8-bits and the arrays are 16-bits. Array index 0 defines the AND mode and index 1 the OR mode parameters for both ports. The valid triggers to start the async command are 0 to 3 which select the AND/OR mode for each port. The 'pb_trig' (the array index for port B) in apci1500_di_inttrig_start() is incorrect and results in an index of 0 or 2. Fix the calc so that the correct index (0/1) is used. Signed-off-by: H Hartley Sweeten Reported-by: Asaf Vertz Reviewed-by: Ian Abbott Signed-off-by: Greg Kroah-Hartman --- diff --git a/drivers/staging/comedi/drivers/addi_apci_1500.c b/drivers/staging/comedi/drivers/addi_apci_1500.c index fc7db1de0b90..f15aa1f6b476 100644 --- a/drivers/staging/comedi/drivers/addi_apci_1500.c +++ b/drivers/staging/comedi/drivers/addi_apci_1500.c @@ -296,7 +296,7 @@ static int apci1500_di_inttrig_start(struct comedi_device *dev, unsigned int pa_mode = Z8536_PAB_MODE_PMS_DISABLE; unsigned int pb_mode = Z8536_PAB_MODE_PMS_DISABLE; unsigned int pa_trig = trig_num & 0x01; - unsigned int pb_trig = trig_num & 0x02; + unsigned int pb_trig = (trig_num >> 1) & 0x01; bool valid_trig = false; unsigned int val;