On Thu, Aug 25, 2011 at 6:15 PM, Dan Carpenter <error27@xxxxxxxxx> wrote: > Hi Grant, > > There is a memory corruption bug in 176f9f29cec9 "STAGING:iio:light: > fix ISL29018 init to handle brownout". > > In isl29018_chip_init() we call: > status = isl29018_write_data(client, ISL29018_REG_TEST, 0, > ISL29018_TEST_MASK, ISL29018_TEST_SHIFT); > > where ISL29018_REG_TEST is 8. > > In isl29018_write_data() it uses reg (ISL29018_REG_TEST) as the > offset into the ->reg_cache[] array: > chip->reg_cache[reg] = regval; > > But ->reg_cache[] only has 3 elements, so we're past the end of the > array. Wow! Thanks! I'll look at the code in the morning and suggest a fix. > I don't know the code well enough to fix this. No problem - I'm happy you spotted this. My initial suggestion for a fix is to just not reference reg_cache if "reg" exceeds the size of reg_cache. In other words, don't cache those values. This should normally work well since we don't other touch that register in the driver AFAICT. But I'll review the code some more tomorrow before submitting a fix. cheers, grant > > regards, > dan carpenter > _______________________________________________ devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxx http://driverdev.linuxdriverproject.org/mailman/listinfo/devel
