Patch "PCI: kirin: Fix buffer overflow in kirin_pcie_parse_port()" has been added to the 6.6-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Mon, 30 Sep 2024 20:04:13 -0400

This is a note to let you know that I've just added the patch titled

    PCI: kirin: Fix buffer overflow in kirin_pcie_parse_port()

to the 6.6-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     pci-kirin-fix-buffer-overflow-in-kirin_pcie_parse_po.patch
and it can be found in the queue-6.6 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 8c8c57074b435386b079ba0a7ef7ee448ef790fa
Author: Alexandra Diupina <adiupina@xxxxxxxxxxxxx>
Date:   Tue Sep 3 14:58:23 2024 +0300

    PCI: kirin: Fix buffer overflow in kirin_pcie_parse_port()
    
    [ Upstream commit c500a86693a126c9393e602741e348f80f1b0fc5 ]
    
    Within kirin_pcie_parse_port(), the pcie->num_slots is compared to
    pcie->gpio_id_reset size (MAX_PCI_SLOTS) which is correct and would lead
    to an overflow.
    
    Thus, fix condition to pcie->num_slots + 1 >= MAX_PCI_SLOTS and move
    pcie->num_slots increment below the if-statement to avoid out-of-bounds
    array access.
    
    Found by Linux Verification Center (linuxtesting.org) with SVACE.
    
    Fixes: b22dbbb24571 ("PCI: kirin: Support PERST# GPIOs for HiKey970 external PEX 8606 bridge")
    Link: https://lore.kernel.org/linux-pci/20240903115823.30647-1-adiupina@xxxxxxxxxxxxx
    Signed-off-by: Alexandra Diupina <adiupina@xxxxxxxxxxxxx>
    [kwilczynski: commit log]
    Signed-off-by: Krzysztof Wilczyński <kwilczynski@xxxxxxxxxx>
    Reviewed-by: Mauro Carvalho Chehab <mchehab+huawei@xxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/pci/controller/dwc/pcie-kirin.c b/drivers/pci/controller/dwc/pcie-kirin.c
index 2ee146767971c..421697ec7591d 100644
--- a/drivers/pci/controller/dwc/pcie-kirin.c
+++ b/drivers/pci/controller/dwc/pcie-kirin.c
@@ -415,12 +415,12 @@ static int kirin_pcie_parse_port(struct kirin_pcie *pcie,
 			if (pcie->gpio_id_reset[i] < 0)
 				continue;
 
-			pcie->num_slots++;
-			if (pcie->num_slots > MAX_PCI_SLOTS) {
+			if (pcie->num_slots + 1 >= MAX_PCI_SLOTS) {
 				dev_err(dev, "Too many PCI slots!\n");
 				ret = -EINVAL;
 				goto put_node;
 			}
+			pcie->num_slots++;
 
 			ret = of_pci_get_devfn(child);
 			if (ret < 0) {







