From: Guodong Liu <guodong.liu@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> [ Upstream commit 2d5446da5acecf9c67db1c9d55ae2c3e5de01f8d ] When eint virtual eint number is greater than gpio number, it maybe produce 'desc[eint_n]' size globle-out-of-bounds issue. Signed-off-by: Guodong Liu <guodong.liu@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> Signed-off-by: Zhiyong Tao <zhiyong.tao@xxxxxxxxxxxx> Reviewed-by: Chen-Yu Tsai <wenst@xxxxxxxxxxxx> Link: https://lore.kernel.org/r/20211110071900.4490-2-zhiyong.tao@xxxxxxxxxxxx Signed-off-by: Linus Walleij <linus.walleij@xxxxxxxxxx> Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx> --- drivers/pinctrl/mediatek/pinctrl-mtk-common-v2.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/drivers/pinctrl/mediatek/pinctrl-mtk-common-v2.c b/drivers/pinctrl/mediatek/pinctrl-mtk-common-v2.c index 45ebdeba985ae..12163d3c4bcb0 100644 --- a/drivers/pinctrl/mediatek/pinctrl-mtk-common-v2.c +++ b/drivers/pinctrl/mediatek/pinctrl-mtk-common-v2.c @@ -285,8 +285,12 @@ static int mtk_xt_get_gpio_n(void *data, unsigned long eint_n, desc = (const struct mtk_pin_desc *)hw->soc->pins; *gpio_chip = &hw->chip; - /* Be greedy to guess first gpio_n is equal to eint_n */ - if (desc[eint_n].eint.eint_n == eint_n) + /* + * Be greedy to guess first gpio_n is equal to eint_n. + * Only eint virtual eint number is greater than gpio number. + */ + if (hw->soc->npins > eint_n && + desc[eint_n].eint.eint_n == eint_n) *gpio_n = eint_n; else *gpio_n = mtk_xt_find_eint_num(hw, eint_n); -- 2.34.1