In device_tree_for_each_node the call to the callback was using
{address,size}_cells[depth - 1], which at depth 0 could read off the
front of the array.We already handled this correctly in the rest of the loop so fixup this instance as well. Reported-by: Chris (Christopher) Brand <[email protected]> Signed-off-by: Ian Campbell <[email protected]> Cc: Chris (Christopher) Brand <[email protected]> --- xen/arch/arm/bootfdt.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/xen/arch/arm/bootfdt.c b/xen/arch/arm/bootfdt.c index e100233..74d208b 100644 --- a/xen/arch/arm/bootfdt.c +++ b/xen/arch/arm/bootfdt.c @@ -100,6 +100,7 @@ static int __init device_tree_for_each_node(const void *fdt, node = fdt_next_node(fdt, node, &depth) ) { const char *name = fdt_get_name(fdt, node, NULL); + u32 as, ss; if ( depth >= DEVICE_TREE_MAX_DEPTH ) { @@ -108,14 +109,15 @@ static int __init device_tree_for_each_node(const void *fdt, continue; } - address_cells[depth] = device_tree_get_u32(fdt, node, "#address-cells", - depth > 0 ? address_cells[depth-1] : 0); - size_cells[depth] = device_tree_get_u32(fdt, node, "#size-cells", - depth > 0 ? size_cells[depth-1] : 0); + as = depth > 0 ? address_cells[depth-1] : 0; + ss = depth > 0 ? size_cells[depth-1] : 0; + address_cells[depth] = device_tree_get_u32(fdt, node, + "#address-cells", as); + size_cells[depth] = device_tree_get_u32(fdt, node, + "#size-cells", ss); - ret = func(fdt, node, name, depth, - address_cells[depth-1], size_cells[depth-1], data); + ret = func(fdt, node, name, depth, as, ss, data); if ( ret != 0 ) return ret; } -- 2.1.4 _______________________________________________ Xen-devel mailing list [email protected] http://lists.xen.org/xen-devel
