Skip to content

Commit 4bf4eed

Browse files
Druidoslinusw
Druidos
authored and
linusw
committed
gpio: ml-ioh: Fix buffer underwrite on probe error path
If ioh_gpio_probe() fails on devm_irq_alloc_descs() then chip may point to any element of chip_save array, so reverse iteration from pointer chip may become chip_save[-1] and gpiochip_remove() will operate with wrong memory. The patch fix the error path of ioh_gpio_probe() to correctly bypass chip_save array. Found by Linux Driver Verification project (linuxtesting.org). Signed-off-by: Anton Vasilyev <vasilyev@ispras.ru> Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
1 parent 1777fc9 commit 4bf4eed

File tree

1 file changed

+2
-1
lines changed

1 file changed

+2
-1
lines changed

drivers/gpio/gpio-ml-ioh.c

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -496,9 +496,10 @@ static int ioh_gpio_probe(struct pci_dev *pdev,
496496
return 0;
497497

498498
err_gpiochip_add:
499+
chip = chip_save;
499500
while (--i >= 0) {
500-
chip--;
501501
gpiochip_remove(&chip->gpio);
502+
chip++;
502503
}
503504
kfree(chip_save);
504505

0 commit comments

Comments
 (0)