Re: [PATCH next] gpio: aggregator: Fix off by one in gpiochip_fwd_desc_add()
From: Geert Uytterhoeven
Date: Wed Aug 13 2025 - 02:52:51 EST
On Wed, 13 Aug 2025 at 07:38, Dan Carpenter <dan.carpenter@xxxxxxxxxx> wrote:
> The "> chip->ngpio" comparison here needs to be ">= chip->ngpio",
> otherwise it leads to an out of bounds access. The fwd->valid_mask
> bitmap only has chip->ngpio bits and the fwd->descs[] array has that
> same number of elements. These values are set in
> devm_gpiochip_fwd_alloc().
>
> Fixes: c44ce91b8ada ("gpio: aggregator: refactor the code to add GPIO desc in the forwarder")
> Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
Reviewed-by: Geert Uytterhoeven <geert+renesas@xxxxxxxxx>
> --- a/drivers/gpio/gpio-aggregator.c
> +++ b/drivers/gpio/gpio-aggregator.c
> @@ -744,7 +744,7 @@ int gpiochip_fwd_desc_add(struct gpiochip_fwd *fwd, struct gpio_desc *desc,
> {
> struct gpio_chip *chip = &fwd->chip;
>
> - if (offset > chip->ngpio)
> + if (offset >= chip->ngpio)
> return -EINVAL;
>
> if (test_and_set_bit(offset, fwd->valid_mask))
Looks like my similar comment in
https://lore.kernel.org/all/CAMuHMdVLo2w609eFOKRkYAfEMb8XOTNB-XzzZn_89VM-YV_-kA@xxxxxxxxxxxxxx/
was lost in the noise. I'll try to remember to make ">=" stand out more
among all quoted code.
Gr{oetje,eeting}s,
Geert
--
Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- geert@xxxxxxxxxxxxxx
In personal conversations with technical people, I call myself a hacker. But
when I'm talking to journalists I just say "programmer" or something like that.
-- Linus Torvalds