Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp6016598imm; Mon, 23 Jul 2018 09:56:53 -0700 (PDT) X-Google-Smtp-Source: AAOMgpfSWpHd3R+cqGYjx3ONV9O88jrlU69ihSuj3Z9NazczDEtb5t24NRunKAVKWG3/vG/QuXTb X-Received: by 2002:a17:902:a989:: with SMTP id bh9-v6mr13840171plb.245.1532365013173; Mon, 23 Jul 2018 09:56:53 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1532365013; cv=none; d=google.com; s=arc-20160816; b=dY/o4JN+VIJWKFU7qc/nFQV0XKcfNbleAwOIvo08cXyMATYFVA86BrUWVzLoh9Sk7B EueCar584DHLVDPEtzvG34jrlXeoVVPw+mdlUtqogcfAdgeLewEfEuz7WtlKed1chGwz SFRpuHnGRujGFZMnx3foSVMZt4N4RDJA4qL5Ro4t9n4vnIqFwp9c8JUiczf0hx3dY5Bn NTTbBblwItL+RCJUFMHtQQkeRRuY7KZ4OINcEaUmacPICtpRyOPlGt2iFDjy6Pz/IpoZ DBUOxCcApxdsY2FdxC8R4JhRxatFIkyTQU72rEg10Ir/111VDP7863Gdl09+S6EQbTE9 UfrA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :arc-authentication-results; bh=q+IrGZ8J1qXjBWPVJfMfdDfa312LxnL3UHb3ZjPvpb8=; b=DRAFXZaiLU1GX/jgwXe5EtOefNP2U8XV0uZkmfcsUjxD9ZeaXWoIg75dbMWkJCIfuB SNBhABljz1MSTUPwIjc02f5flHuCOZmuoMVeeCs4koj/IPo+eccZHJhcf9ZAojgLf+H+ T+UaR3YKHkQ1JQsrooKXspgncLuTo+iZ3XghPReNp3z41aG3SM+MADVf5eptuwavLuTB din8CQr1khs8CQWOckF/W/DVT8RHY2xcl5/SbiuNQMBK83vhIUAV78fWh9IlOenkzQC/ pqXDehG0cH+CK2QR1KD45Y3iGDjewajfgbzVB3XxlQAx46Amjf2Kw6CX/Kx62ixpneU7 3hMw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id t8-v6si1309603plo.77.2018.07.23.09.56.37; Mon, 23 Jul 2018 09:56:53 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2388744AbeGWR4k (ORCPT + 99 others); Mon, 23 Jul 2018 13:56:40 -0400 Received: from bran.ispras.ru ([83.149.199.196]:25583 "EHLO smtp.ispras.ru" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1728206AbeGWR4k (ORCPT ); Mon, 23 Jul 2018 13:56:40 -0400 Received: from myklebust.intra.ispras.ru (unknown [10.10.2.207]) by smtp.ispras.ru (Postfix) with ESMTP id 8DF12203C3; Mon, 23 Jul 2018 19:54:33 +0300 (MSK) From: Anton Vasilyev To: Linus Walleij Cc: Anton Vasilyev , linux-gpio@vger.kernel.org, linux-kernel@vger.kernel.org, ldv-project@linuxtesting.org Subject: [PATCH] gpio: ml-ioh: Fix buffer underwrite on probe error path Date: Mon, 23 Jul 2018 19:53:30 +0300 Message-Id: <20180723165330.25213-1-vasilyev@ispras.ru> X-Mailer: git-send-email 2.18.0 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org If ioh_gpio_probe() fails on devm_irq_alloc_descs() then chip may point to any element of chip_save array, so reverse iteration from pointer chip may become chip_save[-1] and gpiochip_remove() will operate with wrong memory. The patch fix the error path of ioh_gpio_probe() to correctly bypass chip_save array. Found by Linux Driver Verification project (linuxtesting.org). Signed-off-by: Anton Vasilyev --- drivers/gpio/gpio-ml-ioh.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/gpio/gpio-ml-ioh.c b/drivers/gpio/gpio-ml-ioh.c index b23d9a36be1f..51c7d1b84c2e 100644 --- a/drivers/gpio/gpio-ml-ioh.c +++ b/drivers/gpio/gpio-ml-ioh.c @@ -496,9 +496,10 @@ static int ioh_gpio_probe(struct pci_dev *pdev, return 0; err_gpiochip_add: + chip = chip_save; while (--i >= 0) { - chip--; gpiochip_remove(&chip->gpio); + chip++; } kfree(chip_save); -- 2.18.0