[PATCH next] gpio: aggregator: Fix off by one in gpiochip_fwd_desc_add()

From: Dan Carpenter
Date: Wed Aug 13 2025 - 01:39:41 EST

Next message: Vikram Sharma: "[PATCH v3 3/7] media: qcom: camss: Add CSIPHY support for QCS8300"
Previous message: Vikram Sharma: "[PATCH v3 2/7] media: qcom: camss: Add qcs8300 compatible"
Next in thread: Geert Uytterhoeven: "Re: [PATCH next] gpio: aggregator: Fix off by one in gpiochip_fwd_desc_add()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The "> chip->ngpio" comparison here needs to be ">= chip->ngpio",
otherwise it leads to an out of bounds access. The fwd->valid_mask
bitmap only has chip->ngpio bits and the fwd->descs[] array has that
same number of elements. These values are set in
devm_gpiochip_fwd_alloc().

Fixes: c44ce91b8ada ("gpio: aggregator: refactor the code to add GPIO desc in the forwarder")
Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
---
drivers/gpio/gpio-aggregator.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/gpio/gpio-aggregator.c b/drivers/gpio/gpio-aggregator.c
index 0ef6556f98b1..37600faf4a4b 100644
--- a/drivers/gpio/gpio-aggregator.c
+++ b/drivers/gpio/gpio-aggregator.c
@@ -744,7 +744,7 @@ int gpiochip_fwd_desc_add(struct gpiochip_fwd *fwd, struct gpio_desc *desc,
{
struct gpio_chip *chip = &fwd->chip;

- if (offset > chip->ngpio)
+ if (offset >= chip->ngpio)
return -EINVAL;

if (test_and_set_bit(offset, fwd->valid_mask))
--
2.47.2

Next message: Vikram Sharma: "[PATCH v3 3/7] media: qcom: camss: Add CSIPHY support for QCS8300"
Previous message: Vikram Sharma: "[PATCH v3 2/7] media: qcom: camss: Add qcs8300 compatible"
Next in thread: Geert Uytterhoeven: "Re: [PATCH next] gpio: aggregator: Fix off by one in gpiochip_fwd_desc_add()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]