diff options
| author |   Abdurrahman Hussain <abdurrahman@nexthop.ai> | 2026-05-18 17:52:25 -0700 |
|---|---|---|
| committer |   Guenter Roeck <linux@roeck-us.net> | 2026-05-21 06:59:05 -0700 |
| commit | d7834d92251baade796812876e95555e2066fa9f (patch) | |
| tree | bad1acb101474b19e7486ec69d542bfc6ba96d91 /include/linux/amba/ssh:/git@git.zx2c4.com | |
| parent | hwmon: (pmbus/adm1266) bounce blackbox records through a protocol-sized buffer (diff) | |
hwmon: (pmbus/adm1266) cap PDIO scan in get_multiple at ADM1266_PDIO_NR
adm1266_gpio_get_multiple() iterates the PDIO portion of the
caller-supplied mask using
for_each_set_bit_from(gpio_nr, mask,
ADM1266_GPIO_NR + ADM1266_PDIO_STATUS) {
...
}
where ADM1266_PDIO_STATUS is the PMBus command code (0xE9, i.e. 233),
not the number of PDIO pins. The intended upper bound is
ADM1266_GPIO_NR + ADM1266_PDIO_NR = 25.
gpiolib hands in a mask sized for gc.ngpio (= 25 bits on this chip),
so the iteration walks find_next_bit() up to 242, reading up to 217
extra bits (a handful of unsigned-long words: four on 64-bit, seven
on 32-bit) of whatever lives past the end of the mask in the
caller's stack. Any incidental set bit in that range then drives a
set_bit(gpio_nr, bits) call that writes past the end of the
caller-supplied bits array too -- both out-of-bounds.
Substitute ADM1266_PDIO_NR for the constant so the scan stops at the
last real PDIO bit.
Fixes: d98dfad35c38 ("hwmon: (pmbus/adm1266) Add support for GPIOs")
Cc: stable@vger.kernel.org
Signed-off-by: Abdurrahman Hussain <abdurrahman@nexthop.ai>
Reviewed-by: Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>
Reviewed-by: Linus Walleij <linusw@kernel.org>
Link: https://lore.kernel.org/r/20260518-adm1266-gpio-fixes-v3-1-e425e4f88139@nexthop.ai
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Diffstat (limited to 'include/linux/amba/ssh:/git@git.zx2c4.com')
0 files changed, 0 insertions, 0 deletions