From: Zong Jiang Date: Wed, 27 Aug 2025 12:03:19 +0000 (+0800) Subject: serial: qcom-geni: Fix off-by-one error in ida_alloc_range() X-Git-Tag: v6.18-rc1~77^2~13 X-Git-Url: https://gentwo.org/gitweb/?a=commitdiff_plain;h=94fcae6cb1c1dec20a5bd0e324b23057fa4eae09;p=linux%2F.git serial: qcom-geni: Fix off-by-one error in ida_alloc_range() The ida_alloc_range() function expects an inclusive range, meaning both the start and end values are valid allocation targets. Passing nr_ports as the upper bound allows allocation of an ID equal to nr_ports, which is out of bounds when used as an index into the port array. Fix this by subtracting 1 from nr_ports in both calls to ida_alloc_range(), ensuring the allocated ID stays within the valid range [start, nr_ports - 1]. This prevents potential out-of-bounds access when the allocated ID is used as an index. Fixes: 9391ab1ed9b3 ("serial: qcom-geni: Make UART port count configurable via Kconfig") Reported-by: kernel test robot Reported-by: Dan Carpenter Closes: https://lore.kernel.org/r/202508180815.R2nDyajs-lkp@intel.com/ Signed-off-by: Zong Jiang Link: https://lore.kernel.org/r/20250827120319.1682835-1-quic_zongjian@quicinc.com Signed-off-by: Greg Kroah-Hartman --- diff --git a/drivers/tty/serial/qcom_geni_serial.c b/drivers/tty/serial/qcom_geni_serial.c index 9c7b1cea7cfe..0b474d349531 100644 --- a/drivers/tty/serial/qcom_geni_serial.c +++ b/drivers/tty/serial/qcom_geni_serial.c @@ -271,9 +271,11 @@ static struct qcom_geni_serial_port *get_port_from_line(int line, bool console, int max_alias_num = of_alias_get_highest_id("serial"); if (line < 0 || line >= nr_ports) - line = ida_alloc_range(&port_ida, max_alias_num + 1, nr_ports, GFP_KERNEL); + line = ida_alloc_range(&port_ida, max_alias_num + 1, + nr_ports - 1, GFP_KERNEL); else - line = ida_alloc_range(&port_ida, line, nr_ports, GFP_KERNEL); + line = ida_alloc_range(&port_ida, line, + nr_ports - 1, GFP_KERNEL); if (line < 0) return ERR_PTR(-ENXIO);