pinctrl: stm32: fix array read out of bound

[ Upstream commit edd48fd9d45370d6c8ba0dd834fcc51ff688cc87 ]

The existing code does not verify if the "tentative" index exceeds
the size of the array, causing out of bound read.
Issue identified with kasan.

Check the index before using it.

Signed-off-by: Antonio Borneo <antonio.borneo@foss.st.com>
Fixes: 32c170ff15b0 ("pinctrl: stm32: set default gpio line names using pin names")
Link: https://lore.kernel.org/r/20231107110520.4449-1-antonio.borneo@foss.st.com
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/drivers/pinctrl/stm32/pinctrl-stm32.c b/drivers/pinctrl/stm32/pinctrl-stm32.c
index 419eca49ccecba5f6e2b93965f22eb0e274d0c56..346a31f31bba805289f7fbd95bc5d2a3f6d66a4e 100644 (file)
--- a/drivers/pinctrl/stm32/pinctrl-stm32.c
+++ b/drivers/pinctrl/stm32/pinctrl-stm32.c
@@ -1283,9 +1283,11 @@ static struct stm32_desc_pin *stm32_pctrl_get_desc_pin_from_gpio(struct stm32_pi
        int i;
 
        /* With few exceptions (e.g. bank 'Z'), pin number matches with pin index in array */
-       pin_desc = pctl->pins + stm32_pin_nb;
-       if (pin_desc->pin.number == stm32_pin_nb)
-               return pin_desc;
+       if (stm32_pin_nb < pctl->npins) {
+               pin_desc = pctl->pins + stm32_pin_nb;
+               if (pin_desc->pin.number == stm32_pin_nb)
+                       return pin_desc;
+       }
 
        /* Otherwise, loop all array to find the pin with the right number */
        for (i = 0; i < pctl->npins; i++) {