gpio: aggregator: Fix off by one in gpiochip_fwd_desc_add()

The "> chip->ngpio" comparison here needs to be ">= chip->ngpio",
otherwise it leads to an out of bounds access.  The fwd->valid_mask
bitmap only has chip->ngpio bits and the fwd->descs[] array has that
same number of elements.  These values are set in
devm_gpiochip_fwd_alloc().

Fixes: c44ce91b8ada ("gpio: aggregator: refactor the code to add GPIO desc in the forwarder")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
Link: https://lore.kernel.org/r/aJwk0yBSCccGCjX3@stanley.mountain
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>

diff --git a/drivers/gpio/gpio-aggregator.c b/drivers/gpio/gpio-aggregator.c
index 0ef6556f98b131eb899e8c9d9b58abe873b2db36..37600faf4a4b728ceb1937538b3f6b78ab3e90fa 100644 (file)
--- a/drivers/gpio/gpio-aggregator.c
+++ b/drivers/gpio/gpio-aggregator.c
@@ -744,7 +744,7 @@ int gpiochip_fwd_desc_add(struct gpiochip_fwd *fwd, struct gpio_desc *desc,
 {
        struct gpio_chip *chip = &fwd->chip;
 
-       if (offset > chip->ngpio)
+       if (offset >= chip->ngpio)
                return -EINVAL;
 
        if (test_and_set_bit(offset, fwd->valid_mask))