From 148547000cfc1ba8cec02857268333d08724b9cc Mon Sep 17 00:00:00 2001
From: Dan Carpenter <dan.carpenter@linaro.org>
Date: Wed, 13 Aug 2025 08:38:27 +0300
Subject: gpio: aggregator: Fix off by one in gpiochip_fwd_desc_add()

The "> chip->ngpio" comparison here needs to be ">= chip->ngpio",
otherwise it leads to an out of bounds access.  The fwd->valid_mask
bitmap only has chip->ngpio bits and the fwd->descs[] array has that
same number of elements.  These values are set in
devm_gpiochip_fwd_alloc().

Fixes: c44ce91b8ada ("gpio: aggregator: refactor the code to add GPIO desc in the forwarder")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
Link: https://lore.kernel.org/r/aJwk0yBSCccGCjX3@stanley.mountain
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
---
 drivers/gpio/gpio-aggregator.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'drivers/gpio/gpio-aggregator.c')

diff --git a/drivers/gpio/gpio-aggregator.c b/drivers/gpio/gpio-aggregator.c
index 0ef6556f98b1..37600faf4a4b 100644
--- a/drivers/gpio/gpio-aggregator.c
+++ b/drivers/gpio/gpio-aggregator.c
@@ -744,7 +744,7 @@ int gpiochip_fwd_desc_add(struct gpiochip_fwd *fwd, struct gpio_desc *desc,
 {
 	struct gpio_chip *chip = &fwd->chip;
 
-	if (offset > chip->ngpio)
+	if (offset >= chip->ngpio)
 		return -EINVAL;
 
 	if (test_and_set_bit(offset, fwd->valid_mask))
-- 
cgit