@@ -1249,14 +1249,12 @@ static int i5000_init_csrows(struct mem_
struct i5000_pvt *pvt;
struct dimm_info *dimm;
int empty;
- int max_csrows;
int mtr;
int csrow_megs;
int channel;
int slot;
pvt = mci->pvt_info;
- max_csrows = pvt->maxdimmperch * 2;
empty = 1; /* Assume NO memory */
@@ -1267,7 +1265,7 @@ struct i5000_pvt *pvt;
* to map the dimms. A good cleanup would be to remove this array,
* and do a loop here with branch, channel, slot
*/
- for (slot = 0; slot < max_csrows; slot++) {
+ for (slot = 0; slot < pvt->maxdimmperch; slot++) {
for (channel = 0; channel < pvt->maxch; channel++) {
mtr = determine_mtr(pvt, slot, channel);
When the logic mapping branch/slot/channel was reworked back in 64e1fdaf55d6 ("i5000_edac: Fix the logic that retrieves memory information") i5000_init_csrows() was not updated and kept passing twice the number of slots to determine_mtr(), which leads to acessing past the end of i5000_pvt.b1_mtr[]. This was found by KASAN. Fixes: 64e1fdaf55d6 ("i5000_edac: Fix the logic that retrieves memory information") Cc: Mauro Carvalho Chehab <mchehab@kernel.org> Cc: Borislav Petkov <bp@suse.de> Signed-off-by: Aristeu Rozanski <aris@redhat.com> --- drivers/edac/i5000_edac.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-)