From: Antonio Borneo antonio.borneo@foss.st.com
stable inclusion from stable-v6.6.5 commit a9659016f9ebc0868b74d1982e38d3af4511f948 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I8N21P
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=...
--------------------------------
[ Upstream commit edd48fd9d45370d6c8ba0dd834fcc51ff688cc87 ]
The existing code does not verify if the "tentative" index exceeds the size of the array, causing out of bound read. Issue identified with kasan.
Check the index before using it.
Signed-off-by: Antonio Borneo antonio.borneo@foss.st.com Fixes: 32c170ff15b0 ("pinctrl: stm32: set default gpio line names using pin names") Link: https://lore.kernel.org/r/20231107110520.4449-1-antonio.borneo@foss.st.com Signed-off-by: Linus Walleij linus.walleij@linaro.org Signed-off-by: Sasha Levin sashal@kernel.org Signed-off-by: Zheng Zengkai zhengzengkai@huawei.com --- drivers/pinctrl/stm32/pinctrl-stm32.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/drivers/pinctrl/stm32/pinctrl-stm32.c b/drivers/pinctrl/stm32/pinctrl-stm32.c index 419eca49ccec..346a31f31bba 100644 --- a/drivers/pinctrl/stm32/pinctrl-stm32.c +++ b/drivers/pinctrl/stm32/pinctrl-stm32.c @@ -1283,9 +1283,11 @@ static struct stm32_desc_pin *stm32_pctrl_get_desc_pin_from_gpio(struct stm32_pi int i;
/* With few exceptions (e.g. bank 'Z'), pin number matches with pin index in array */ - pin_desc = pctl->pins + stm32_pin_nb; - if (pin_desc->pin.number == stm32_pin_nb) - return pin_desc; + if (stm32_pin_nb < pctl->npins) { + pin_desc = pctl->pins + stm32_pin_nb; + if (pin_desc->pin.number == stm32_pin_nb) + return pin_desc; + }
/* Otherwise, loop all array to find the pin with the right number */ for (i = 0; i < pctl->npins; i++) {