of/irq: Fix interrupt-map cell length check in of_irq_parse_imap_parent()

commit fec3edc47d5cfc2dd296a5141df887bf567944db upstream. On a malformed interrupt-map property which is shorter than expected by 1 cell, we may read bogus data past the end of the property instead of returning an error in of_irq_parse_imap_parent(). Decrement the remaining length when skipping over the interrupt parent phandle cell. Fixes: 935df1bd40d4 ("of/irq: Factor out parsing of interrupt-map parent phandle+args from of_irq_parse_raw()") Cc: stable@vger.kernel.org Signed-off-by: Zijun Hu <quic_zijuhu@quicinc.com> Link: https://lore.kernel.org/r/20241209-of_irq_fix-v1-1-782f1419c8a1@quicinc.com [rh: reword commit msg] Signed-off-by: Rob Herring (Arm) <robh@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
author: Zijun Hu <quic_zijuhu@quicinc.com> 2024-12-09 16:24:59 +0300
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2024-12-27 15:53:00 +0300
commit: cd126daadfe289dfccee90cf1f63fa1d62efeb73 (patch)
tree: ef574462a7421d3df5402bfa16fee65c0cb2ae7a /drivers/of
parent: 61f3036bc24679c8f915caaa59574a807f60a42e (diff)
download: linux-cd126daadfe289dfccee90cf1f63fa1d62efeb73.tar.xz
1 files changed, 1 insertions, 0 deletions
diff --git a/drivers/of/irq.c b/drivers/of/irq.c
index 8c402690d109..584e25aad649 100644
--- a/drivers/of/irq.c
+++ b/drivers/of/irq.c
@@ -111,6 +111,7 @@ const __be32 *of_irq_parse_imap_parent(const __be32 *imap, int len, struct of_ph
 	else
 		np = of_find_node_by_phandle(be32_to_cpup(imap));
 	imap++;
+	len--;
 
 	/* Check if not found */
 	if (!np) {
author	Zijun Hu <quic_zijuhu@quicinc.com>	2024-12-09 16:24:59 +0300
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2024-12-27 15:53:00 +0300
commit	cd126daadfe289dfccee90cf1f63fa1d62efeb73 (patch)
tree	ef574462a7421d3df5402bfa16fee65c0cb2ae7a /drivers/of
parent	61f3036bc24679c8f915caaa59574a807f60a42e (diff)
download	linux-cd126daadfe289dfccee90cf1f63fa1d62efeb73.tar.xz