pinctrl: stm32: fix array read out of bound

The existing code does not verify if the "tentative" index exceeds
the size of the array, causing out of bound read.
Issue identified with kasan.

Check the index before using it.

Signed-off-by: Antonio Borneo <antonio.borneo@foss.st.com>
Fixes: 32c170ff15b0 ("pinctrl: stm32: set default gpio line names using pin names")
Link: https://lore.kernel.org/r/20231107110520.4449-1-antonio.borneo@foss.st.com
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>

diff --git a/drivers/pinctrl/stm32/pinctrl-stm32.c b/drivers/pinctrl/stm32/pinctrl-stm32.c
index 3a9c458d3fc9820e0d322a18ebf0cf50821a32c9..603f900e88c18a50ea01c33b8e52ef8154327880 100644 (file)
--- a/drivers/pinctrl/stm32/pinctrl-stm32.c
+++ b/drivers/pinctrl/stm32/pinctrl-stm32.c
@@ -1273,9 +1273,11 @@ static struct stm32_desc_pin *stm32_pctrl_get_desc_pin_from_gpio(struct stm32_pi
        int i;
 
        /* With few exceptions (e.g. bank 'Z'), pin number matches with pin index in array */
-       pin_desc = pctl->pins + stm32_pin_nb;
-       if (pin_desc->pin.number == stm32_pin_nb)
-               return pin_desc;
+       if (stm32_pin_nb < pctl->npins) {
+               pin_desc = pctl->pins + stm32_pin_nb;
+               if (pin_desc->pin.number == stm32_pin_nb)
+                       return pin_desc;
+       }
 
        /* Otherwise, loop all array to find the pin with the right number */
        for (i = 0; i < pctl->npins; i++) {