gpio: mcp23s08: fixed count variable for devicetree probing

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Fixed missing increase of count variable for devicetree path in driver
probing.

The gpio-mcp23s08 driver has two paths for getting the platform
registration information. One for the classic platform initialization
and one for openfirmware devicetree based initialization. The devicetree
based path is missing the increase of the count variable, which results
in the count variable to become negative in the later use, where it is
decreased. The count variable is used as an index into a vector. This
results in accessing invalid memory space and can result in an exception.

Tested this with an AM3352 SoC with two mcp23s17 on two chip selects as
well as on a shared chip select.

Signed-off-by: Michael Stickel <ms@mycable.de>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>

authored by

Michael Stickel and committed by

Linus Walleij 12 years ago 3e3bed91 821e85f2

+10 -1

1 changed file

expand all

drivers

gpio

gpio-mcp23s08.c

+10 -1

drivers/gpio/gpio-mcp23s08.c

··· 895 895 return -ENODEV; 896 896 } 897 897 898 - for (addr = 0; addr < ARRAY_SIZE(pdata->chip); addr++) 898 + for (addr = 0; addr < ARRAY_SIZE(pdata->chip); addr++) { 899 899 pullups[addr] = 0; 900 + if (spi_present_mask & (1 << addr)) 901 + chips++; 902 + } 903 + if (!chips) 904 + return -ENODEV; 900 905 } else { 901 906 type = spi_get_device_id(spi)->driver_data; 902 907 pdata = dev_get_platdata(&spi->dev); ··· 940 935 if (!(spi_present_mask & (1 << addr))) 941 936 continue; 942 937 chips--; 938 + if (chips < 0) { 939 + dev_err(&spi->dev, "FATAL: invalid negative chip id\n"); 940 + goto fail; 941 + } 943 942 data->mcp[addr] = &data->chip[chips]; 944 943 status = mcp23s08_probe_one(data->mcp[addr], &spi->dev, spi, 945 944 0x40 | (addr << 1), type, base,