From: Dan Carpenter <dan.carpenter@linaro.org>
Date: Wed, 13 Aug 2025 05:38:27 +0000 (+0300)
Subject: gpio: aggregator: Fix off by one in gpiochip_fwd_desc_add()
X-Git-Tag: v6.18-rc1~168^2~89
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=148547000cfc1ba8cec02857268333d08724b9cc;p=thirdparty%2Fkernel%2Flinux.git

gpio: aggregator: Fix off by one in gpiochip_fwd_desc_add()

The "> chip->ngpio" comparison here needs to be ">= chip->ngpio",
otherwise it leads to an out of bounds access.  The fwd->valid_mask
bitmap only has chip->ngpio bits and the fwd->descs[] array has that
same number of elements.  These values are set in
devm_gpiochip_fwd_alloc().

Fixes: c44ce91b8ada ("gpio: aggregator: refactor the code to add GPIO desc in the forwarder")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
Link: https://lore.kernel.org/r/aJwk0yBSCccGCjX3@stanley.mountain
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
---

diff --git a/drivers/gpio/gpio-aggregator.c b/drivers/gpio/gpio-aggregator.c
index 0ef6556f98b13..37600faf4a4b7 100644
--- a/drivers/gpio/gpio-aggregator.c
+++ b/drivers/gpio/gpio-aggregator.c
@@ -744,7 +744,7 @@ int gpiochip_fwd_desc_add(struct gpiochip_fwd *fwd, struct gpio_desc *desc,
 {
 	struct gpio_chip *chip = &fwd->chip;
 
-	if (offset > chip->ngpio)
+	if (offset >= chip->ngpio)
 		return -EINVAL;
 
 	if (test_and_set_bit(offset, fwd->valid_mask))