| From foo@baz Mon Sep 17 12:33:31 CEST 2018 |
| From: Anton Vasilyev <vasilyev@ispras.ru> |
| Date: Mon, 23 Jul 2018 19:53:30 +0300 |
| Subject: gpio: ml-ioh: Fix buffer underwrite on probe error path |
| |
| From: Anton Vasilyev <vasilyev@ispras.ru> |
| |
| [ Upstream commit 4bf4eed44bfe288f459496eaf38089502ef91a79 ] |
| |
| If ioh_gpio_probe() fails on devm_irq_alloc_descs() then chip may point |
| to any element of chip_save array, so reverse iteration from pointer chip |
| may become chip_save[-1] and gpiochip_remove() will operate with wrong |
| memory. |
| |
| The patch fix the error path of ioh_gpio_probe() to correctly bypass |
| chip_save array. |
| |
| Found by Linux Driver Verification project (linuxtesting.org). |
| |
| Signed-off-by: Anton Vasilyev <vasilyev@ispras.ru> |
| Signed-off-by: Linus Walleij <linus.walleij@linaro.org> |
| Signed-off-by: Sasha Levin <alexander.levin@microsoft.com> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| --- |
| drivers/gpio/gpio-ml-ioh.c | 3 ++- |
| 1 file changed, 2 insertions(+), 1 deletion(-) |
| |
| --- a/drivers/gpio/gpio-ml-ioh.c |
| +++ b/drivers/gpio/gpio-ml-ioh.c |
| @@ -497,9 +497,10 @@ static int ioh_gpio_probe(struct pci_dev |
| return 0; |
| |
| err_gpiochip_add: |
| + chip = chip_save; |
| while (--i >= 0) { |
| - chip--; |
| gpiochip_remove(&chip->gpio); |
| + chip++; |
| } |
| kfree(chip_save); |
| |
