pinctrl: mediatek: fix global-out-of-bounds issue

commit 2d5446da5acecf9c67db1c9d55ae2c3e5de01f8d upstream.

When eint virtual eint number is greater than gpio number,
it maybe produce 'desc[eint_n]' size globle-out-of-bounds issue.

Signed-off-by: Guodong Liu <guodong.liu@mediatek.corp-partner.google.com>
Signed-off-by: Zhiyong Tao <zhiyong.tao@mediatek.com>
Reviewed-by: Chen-Yu Tsai <wenst@chromium.org>
Link: https://lore.kernel.org/r/20211110071900.4490-2-zhiyong.tao@mediatek.com
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/pinctrl/mediatek/pinctrl-mtk-common-v2.c b/drivers/pinctrl/mediatek/pinctrl-mtk-common-v2.c
index 45ebdeba985aeaf77b3d8649b943c125434c0b2d..12163d3c4bcb03c889a11470d7643122aab743b5 100644 (file)
--- a/drivers/pinctrl/mediatek/pinctrl-mtk-common-v2.c
+++ b/drivers/pinctrl/mediatek/pinctrl-mtk-common-v2.c
@@ -285,8 +285,12 @@ static int mtk_xt_get_gpio_n(void *data, unsigned long eint_n,
        desc = (const struct mtk_pin_desc *)hw->soc->pins;
        *gpio_chip = &hw->chip;
 
-       /* Be greedy to guess first gpio_n is equal to eint_n */
-       if (desc[eint_n].eint.eint_n == eint_n)
+       /*
+        * Be greedy to guess first gpio_n is equal to eint_n.
+        * Only eint virtual eint number is greater than gpio number.
+        */
+       if (hw->soc->npins > eint_n &&
+           desc[eint_n].eint.eint_n == eint_n)
                *gpio_n = eint_n;
        else
                *gpio_n = mtk_xt_find_eint_num(hw, eint_n);