Em Fri, 12 Jul 2024 11:43:09 +0300
Alexandra Diupina <adiupina@xxxxxxxxxxxxx> escreveu:
> In kirin_pcie_parse_port() pcie->num_slots is compared to
> pcie->gpio_id_reset size (MAX_PCI_SLOTS). Need to fix
> condition to pcie->num_slots >= MAX_PCI_SLOTS to
> avoid out of bounds array access.
>
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
>
> Fixes: b22dbbb24571 ("PCI: kirin: Support PERST# GPIOs for HiKey970 external PEX 8606 bridge")
> Signed-off-by: Alexandra Diupina <adiupina@xxxxxxxxxxxxx>
> ---
> drivers/pci/controller/dwc/pcie-kirin.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/pci/controller/dwc/pcie-kirin.c b/drivers/pci/controller/dwc/pcie-kirin.c
> index d5523f302102..5ef3384c137d 100644
> --- a/drivers/pci/controller/dwc/pcie-kirin.c
> +++ b/drivers/pci/controller/dwc/pcie-kirin.c
> @@ -413,7 +413,7 @@ static int kirin_pcie_parse_port(struct kirin_pcie *pcie,
> continue;
>
> pcie->num_slots++;
> - if (pcie->num_slots > MAX_PCI_SLOTS) {
> + if (pcie->num_slots >= MAX_PCI_SLOTS) {
> dev_err(dev, "Too many PCI slots!\n");
> ret = -EINVAL;
> goto put_node;
Hmm... the logic will keep num_slots incremented when the error condition
is trigged. IMO, the code should be, instead:
if (pcie->num_slots + 1 >= MAX_PCI_SLOTS) {
dev_err(dev, "Too many PCI slots!\n");
ret = -EINVAL;
goto put_node;
}
pcie->num_slots++;
Thanks,
Mauro
