All of lore.kernel.org
 help / color / mirror / Atom feed
From: Dan Carpenter <dan.carpenter@oracle.com>
To: Mark Brown <broonie@opensource.wolfsonmicro.com>
Cc: Ian Lartey <ian@opensource.wolfsonmicro.com>,
	Dimitris Papastamos <dp@opensource.wolfsonmicro.com>,
	Samuel Ortiz <sameo@linux.intel.com>,
	linux-kernel@vger.kernel.org
Subject: re: mfd: Simulate active high IRQs with wm831x
Date: Wed, 21 Sep 2011 09:44:15 +0300	[thread overview]
Message-ID: <20110921064415.GC4999@elgon.mountain> (raw)

Hi Mark,

Smatch complains about d71820b8a8fbe9 "mfd: Simulate active high IRQs
with wm831x"

drivers/mfd/wm831x-irq.c +522 wm831x_irq_thread(67)
	error: buffer overflow 'wm831x->gpio_level' 16 <= 56

   518                  /* Simulate an edge triggered IRQ by polling the input
   519                   * status.  This is sucky but improves interoperability.
   520                   */
   521                  if (primary == WM831X_GP_INT &&
   522                      wm831x->gpio_level[i - WM831X_IRQ_GPIO_1]) {
                            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
   523                          ret = wm831x_reg_read(wm831x, WM831X_GPIO_LEVEL);
   524                          while (ret & 1 << (i - WM831X_IRQ_GPIO_1)) {
   525                                  handle_nested_irq(wm831x->irq_base + i);
   526                                  ret = wm831x_reg_read(wm831x,
   527                                                        WM831X_GPIO_LEVEL);
   528                          }
   529                  }

We're inside a for loop over ARRAY_SIZE(wm831x_irqs) which has 58
elements (so "i" is 0-57) and we subtract WM831X_IRQ_GPIO_1 (1) which
gives us a max of 56.  The ->gpio_level[] array only has 16 elements
so we're reading beyond the end of the array.

In wm831x_irq_set_type() it only sets the first 11 elements of the
->gpio_level[] array.  Perhaps something similar is needed here.  I
don't know the code well enough to say.

regards,
dan carpenter

             reply	other threads:[~2011-09-21  6:44 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2011-09-21  6:44 Dan Carpenter [this message]
2011-09-21 12:23 ` mfd: Simulate active high IRQs with wm831x Mark Brown

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20110921064415.GC4999@elgon.mountain \
    --to=dan.carpenter@oracle.com \
    --cc=broonie@opensource.wolfsonmicro.com \
    --cc=dp@opensource.wolfsonmicro.com \
    --cc=ian@opensource.wolfsonmicro.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=sameo@linux.intel.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.