pinctrl: stm32: fix array read out of bound

[ Upstream commit edd48fd9d45370d6c8ba0dd834fcc51ff688cc87 ]

The existing code does not verify if the "tentative" index exceeds
the size of the array, causing out of bound read.
Issue identified with kasan.

Check the index before using it.

Signed-off-by: Antonio Borneo <antonio.borneo@foss.st.com>
Fixes: 32c170ff15b0 ("pinctrl: stm32: set default gpio line names using pin names")
Link: https://lore.kernel.org/r/20231107110520.4449-1-antonio.borneo@foss.st.com
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/drivers/pinctrl/stm32/pinctrl-stm32.c b/drivers/pinctrl/stm32/pinctrl-stm32.c
index 419eca4..346a31f 100644 (file)
--- a/drivers/pinctrl/stm32/pinctrl-stm32.c
+++ b/drivers/pinctrl/stm32/pinctrl-stm32.c
@@ -1283,9 +1283,11 @@ static struct stm32_desc_pin *stm32_pctrl_get_desc_pin_from_gpio(struct stm32_pi
        int i;
 
        /* With few exceptions (e.g. bank 'Z'), pin number matches with pin index in array */
-       pin_desc = pctl->pins + stm32_pin_nb;
-       if (pin_desc->pin.number == stm32_pin_nb)
-               return pin_desc;
+       if (stm32_pin_nb < pctl->npins) {
+               pin_desc = pctl->pins + stm32_pin_nb;
+               if (pin_desc->pin.number == stm32_pin_nb)
+                       return pin_desc;
+       }
 
        /* Otherwise, loop all array to find the pin with the right number */
        for (i = 0; i < pctl->npins; i++) {