From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-co1nam03on0097.outbound.protection.outlook.com ([104.47.40.97]:50844 "EHLO NAM03-CO1-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1729895AbeIBRan (ORCPT ); Sun, 2 Sep 2018 13:30:43 -0400 From: Sasha Levin To: "stable@vger.kernel.org" , "linux-kernel@vger.kernel.org" CC: Anton Vasilyev , Linus Walleij , Sasha Levin Subject: [PATCH AUTOSEL 4.9 29/62] gpio: ml-ioh: Fix buffer underwrite on probe error path Date: Sun, 2 Sep 2018 13:14:40 +0000 Message-ID: <20180902131411.183978-19-alexander.levin@microsoft.com> References: <20180902131411.183978-1-alexander.levin@microsoft.com> In-Reply-To: <20180902131411.183978-1-alexander.levin@microsoft.com> Content-Language: en-US Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Sender: stable-owner@vger.kernel.org List-ID: From: Anton Vasilyev [ Upstream commit 4bf4eed44bfe288f459496eaf38089502ef91a79 ] If ioh_gpio_probe() fails on devm_irq_alloc_descs() then chip may point to any element of chip_save array, so reverse iteration from pointer chip may become chip_save[-1] and gpiochip_remove() will operate with wrong memory. The patch fix the error path of ioh_gpio_probe() to correctly bypass chip_save array. Found by Linux Driver Verification project (linuxtesting.org). Signed-off-by: Anton Vasilyev Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin --- drivers/gpio/gpio-ml-ioh.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/gpio/gpio-ml-ioh.c b/drivers/gpio/gpio-ml-ioh.c index 796a5a4bc4f5..e9b607417df9 100644 --- a/drivers/gpio/gpio-ml-ioh.c +++ b/drivers/gpio/gpio-ml-ioh.c @@ -495,9 +495,10 @@ static int ioh_gpio_probe(struct pci_dev *pdev, =20 chip =3D chip_save; err_gpiochip_add: + chip =3D chip_save; while (--i >=3D 0) { - chip--; gpiochip_remove(&chip->gpio); + chip++; } kfree(chip_save); =20 --=20 2.17.1