The ida_alloc_range() function expects an inclusive range, meaning both
the start and end values are valid allocation targets. Passing nr_ports
as the upper bound allows allocation of an ID equal to nr_ports, which
is out of bounds when used as an index into the port array.
Fix this by subtracting 1 from nr_ports in both calls to ida_alloc_range(),
ensuring the allocated ID stays within the valid range
[start, nr_ports - 1].
This prevents potential out-of-bounds access when the allocated ID is used
as an index.
Fixes: 9391ab1ed9b3 ("serial: qcom-geni: Make UART port count configurable via Kconfig")
Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
Closes: https://lore.kernel.org/r/202508180815.R2nDyajs-lkp@intel.com/
Signed-off-by: Zong Jiang <quic_zongjian@quicinc.com>
Link: https://lore.kernel.org/r/20250827120319.1682835-1-quic_zongjian@quicinc.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
int max_alias_num = of_alias_get_highest_id("serial");
if (line < 0 || line >= nr_ports)
- line = ida_alloc_range(&port_ida, max_alias_num + 1, nr_ports, GFP_KERNEL);
+ line = ida_alloc_range(&port_ida, max_alias_num + 1,
+ nr_ports - 1, GFP_KERNEL);
else
- line = ida_alloc_range(&port_ida, line, nr_ports, GFP_KERNEL);
+ line = ida_alloc_range(&port_ida, line,
+ nr_ports - 1, GFP_KERNEL);
if (line < 0)
return ERR_PTR(-ENXIO);
gentwo / linux / .git / commitdiff