From: Alexandra Diupina Date: Tue, 3 Sep 2024 11:58:23 +0000 (+0300) Subject: PCI: kirin: Fix buffer overflow in kirin_pcie_parse_port() X-Git-Tag: v6.10.13~271 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6dcc5b49d6607a741a14122bf3105f3ac50d259e;p=thirdparty%2Fkernel%2Fstable.git PCI: kirin: Fix buffer overflow in kirin_pcie_parse_port() [ Upstream commit c500a86693a126c9393e602741e348f80f1b0fc5 ] Within kirin_pcie_parse_port(), the pcie->num_slots is compared to pcie->gpio_id_reset size (MAX_PCI_SLOTS) which is correct and would lead to an overflow. Thus, fix condition to pcie->num_slots + 1 >= MAX_PCI_SLOTS and move pcie->num_slots increment below the if-statement to avoid out-of-bounds array access. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: b22dbbb24571 ("PCI: kirin: Support PERST# GPIOs for HiKey970 external PEX 8606 bridge") Link: https://lore.kernel.org/linux-pci/20240903115823.30647-1-adiupina@astralinux.ru Signed-off-by: Alexandra Diupina [kwilczynski: commit log] Signed-off-by: Krzysztof WilczyƄski Reviewed-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin --- diff --git a/drivers/pci/controller/dwc/pcie-kirin.c b/drivers/pci/controller/dwc/pcie-kirin.c index d5523f3021024..deab1e653b9a3 100644 --- a/drivers/pci/controller/dwc/pcie-kirin.c +++ b/drivers/pci/controller/dwc/pcie-kirin.c @@ -412,12 +412,12 @@ static int kirin_pcie_parse_port(struct kirin_pcie *pcie, if (pcie->gpio_id_reset[i] < 0) continue; - pcie->num_slots++; - if (pcie->num_slots > MAX_PCI_SLOTS) { + if (pcie->num_slots + 1 >= MAX_PCI_SLOTS) { dev_err(dev, "Too many PCI slots!\n"); ret = -EINVAL; goto put_node; } + pcie->num_slots++; ret = of_pci_get_devfn(child); if (ret < 0) {