Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp4535630imm;
        Mon, 17 Sep 2018 16:03:37 -0700 (PDT)
X-Google-Smtp-Source: ANB0VdZIih6eN9g+6JL9W2OguO5Z0puGSepSO6faer0QPLvhdmGWE8qi/zRdpFkg0az1xg2qGT72
X-Received: by 2002:a63:b812:: with SMTP id p18-v6mr24854958pge.156.1537225417886;
        Mon, 17 Sep 2018 16:03:37 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1537225417; cv=none;
        d=google.com; s=arc-20160816;
        b=QV+hkVNpIGmUn2vvFJvURAtns/fveDzsOuMPcsNHWmotxb0p1GF5Vpj1NEA3v8g5tf
         /AwoT4Ibxq1FRueW4QJe0gaQqlIcR1jipjvEq/Cg7ydSGHEYEc1tgRFMQxpjM0KshxDi
         O/l0+DHFeggMsBLlvIuQuaIH+zVM95lPkrYzSd5TD/zcQ/0FjBv5GQ24+Sr3BBtJ+51/
         2S0wfiLEZgMxZN+IvVj7viyVThdABnjRqITtBimfTpfFwNgwwY72f0NzdI8iyn6fmNJJ
         V5FwB9TFAXTEBJ/VnpJFpgL5Pws0aBbc2Im9bUQ2tQyV7q/IKhAGWUcieCDlTlIenZT4
         +Pcg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from;
        bh=/qI/fI3MKTneJmpow+/v3zQAn6Z2WAy9umYEkFwe+jE=;
        b=kNOS3s2TSfgTxYs4ULC5Rv9GAYd7vHqakiBtkFBSkuzjHASY/rakh9Mwx9uaFYhPct
         EMQgj0Qh0u+iuG3L5M+wlGMTR8tR+qX8oYD2LY76/vvzHhO4VvOWnYe+b+Bt7aHKWGbG
         1Uxd12ztGK+GTgWEvEG4LWmraoloXNdJRdDQf+Y6bf0A52NbfLMnYMtGLZCg1lhGcUBy
         g+XpsRmwLrf8R9ULnTckWqLcKpX9XKp5pURno03Zy/RRfl68Q1yULEbNtL2TqjLjDVfS
         7UoDc2i9UjexslfJz0ab2+N58pKO+Hm2J0BQ/5pGd99uIF+q0WNdyvWDCkBYsSE9Z39r
         Rzqw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id u6-v6si17246601pfu.143.2018.09.17.16.03.22;
        Mon, 17 Sep 2018 16:03:37 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1730540AbeIREce (ORCPT <rfc822;mailist1go@gmail.com>
        + 99 others); Tue, 18 Sep 2018 00:32:34 -0400
Received: from mail.linuxfoundation.org ([140.211.169.12]:48684 "EHLO
        mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726987AbeIREcd (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 18 Sep 2018 00:32:33 -0400
Received: from localhost (li1825-44.members.linode.com [172.104.248.44])
        by mail.linuxfoundation.org (Postfix) with ESMTPSA id 4912BC77;
        Mon, 17 Sep 2018 23:03:05 +0000 (UTC)
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Anton Vasilyev <vasilyev@ispras.ru>,
        Linus Walleij <linus.walleij@linaro.org>,
        Sasha Levin <alexander.levin@microsoft.com>
Subject: [PATCH 4.14 065/126] gpio: ml-ioh: Fix buffer underwrite on probe error path
Date:   Tue, 18 Sep 2018 00:41:53 +0200
Message-Id: <20180917211708.611315061@linuxfoundation.org>
X-Mailer: git-send-email 2.19.0
In-Reply-To: <20180917211703.481236999@linuxfoundation.org>
References: <20180917211703.481236999@linuxfoundation.org>
User-Agent: quilt/0.65
X-stable: review
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Anton Vasilyev <vasilyev@ispras.ru>

[ Upstream commit 4bf4eed44bfe288f459496eaf38089502ef91a79 ]

If ioh_gpio_probe() fails on devm_irq_alloc_descs() then chip may point
to any element of chip_save array, so reverse iteration from pointer chip
may become chip_save[-1] and gpiochip_remove() will operate with wrong
memory.

The patch fix the error path of ioh_gpio_probe() to correctly bypass
chip_save array.

Found by Linux Driver Verification project (linuxtesting.org).

Signed-off-by: Anton Vasilyev <vasilyev@ispras.ru>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/gpio/gpio-ml-ioh.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/gpio/gpio-ml-ioh.c
+++ b/drivers/gpio/gpio-ml-ioh.c
@@ -497,9 +497,10 @@ static int ioh_gpio_probe(struct pci_dev
 	return 0;
 
 err_gpiochip_add:
+	chip = chip_save;
 	while (--i >= 0) {
-		chip--;
 		gpiochip_remove(&chip->gpio);
+		chip++;
 	}
 	kfree(chip_save);