| Message ID | ZRbwU8Qnx28gpbuO@work |
|---|---|
| State | New |
| Headers | show |
| Series | [next] media: usb: siano: Fix undefined behavior bug in struct smsusb_urb_t | expand |
diff --git a/drivers/media/usb/siano/smsusb.c b/drivers/media/usb/siano/smsusb.c index 9d9e14c858e6..2c048f8e8371 100644 --- a/drivers/media/usb/siano/smsusb.c +++ b/drivers/media/usb/siano/smsusb.c @@ -40,10 +40,10 @@ struct smsusb_urb_t { struct smscore_buffer_t *cb; struct smsusb_device_t *dev; - struct urb urb; - /* For the bottom half */ struct work_struct wq; + + struct urb urb; }; struct smsusb_device_t {
`struct urb` is a flexible structure, which means that it contains a flexible-array member at the bottom. This could potentially lead to an overwrite of the object `wq` at run-time with the contents of `urb`. Fix this by placing object `urb` at the end of `struct smsusb_urb_t`. Fixes: dd47fbd40e6e ("[media] smsusb: don't sleep while atomic") Cc: stable@vger.kernel.org Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org> --- drivers/media/usb/siano/smsusb.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)