summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorZong Jiang <quic_zongjian@quicinc.com>2025-08-27 15:03:19 +0300
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>2025-09-06 16:48:43 +0300
commit94fcae6cb1c1dec20a5bd0e324b23057fa4eae09 (patch)
tree01f9705bf61c99f235052de1a15983efcc1306e3
parente3fa89f3a768a9c61cf1bfe86b939ab5f36a9744 (diff)
downloadlinux-94fcae6cb1c1dec20a5bd0e324b23057fa4eae09.tar.xz
serial: qcom-geni: Fix off-by-one error in ida_alloc_range()
The ida_alloc_range() function expects an inclusive range, meaning both the start and end values are valid allocation targets. Passing nr_ports as the upper bound allows allocation of an ID equal to nr_ports, which is out of bounds when used as an index into the port array. Fix this by subtracting 1 from nr_ports in both calls to ida_alloc_range(), ensuring the allocated ID stays within the valid range [start, nr_ports - 1]. This prevents potential out-of-bounds access when the allocated ID is used as an index. Fixes: 9391ab1ed9b3 ("serial: qcom-geni: Make UART port count configurable via Kconfig") Reported-by: kernel test robot <lkp@intel.com> Reported-by: Dan Carpenter <dan.carpenter@linaro.org> Closes: https://lore.kernel.org/r/202508180815.R2nDyajs-lkp@intel.com/ Signed-off-by: Zong Jiang <quic_zongjian@quicinc.com> Link: https://lore.kernel.org/r/20250827120319.1682835-1-quic_zongjian@quicinc.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-rw-r--r--drivers/tty/serial/qcom_geni_serial.c6
1 files changed, 4 insertions, 2 deletions
diff --git a/drivers/tty/serial/qcom_geni_serial.c b/drivers/tty/serial/qcom_geni_serial.c
index 9c7b1cea7cfe..0b474d349531 100644
--- a/drivers/tty/serial/qcom_geni_serial.c
+++ b/drivers/tty/serial/qcom_geni_serial.c
@@ -271,9 +271,11 @@ static struct qcom_geni_serial_port *get_port_from_line(int line, bool console,
int max_alias_num = of_alias_get_highest_id("serial");
if (line < 0 || line >= nr_ports)
- line = ida_alloc_range(&port_ida, max_alias_num + 1, nr_ports, GFP_KERNEL);
+ line = ida_alloc_range(&port_ida, max_alias_num + 1,
+ nr_ports - 1, GFP_KERNEL);
else
- line = ida_alloc_range(&port_ida, line, nr_ports, GFP_KERNEL);
+ line = ida_alloc_range(&port_ida, line,
+ nr_ports - 1, GFP_KERNEL);
if (line < 0)
return ERR_PTR(-ENXIO);