qe/ic: fix a buffer overflow error and add check elsewhere

127 is the theoretical up boundary of QEIC number,
in fact there only be 44 qe_ic_info now.
add check to overflow for qe_ic_info

Signed-off-by: Zhao Qiang <qiang.zhao@nxp.com>
Acked-by: Li Yang <leoyang.li@nxp.com>
Signed-off-by: Scott Wood <oss@buserror.net>

diff --git a/drivers/soc/fsl/qe/qe_ic.c b/drivers/soc/fsl/qe/qe_ic.c
index b77d01ff8330dea346f50e8bc758f3a971d2cbb0..ec2ca864b0c5276a6df2c34bf004fe2f32ffe0bc 100644 (file)
--- a/drivers/soc/fsl/qe/qe_ic.c
+++ b/drivers/soc/fsl/qe/qe_ic.c
@@ -259,6 +259,11 @@ static int qe_ic_host_map(struct irq_domain *h, unsigned int virq,
        struct qe_ic *qe_ic = h->host_data;
        struct irq_chip *chip;
 
+       if (hw >= ARRAY_SIZE(qe_ic_info)) {
+               pr_err("%s: Invalid hw irq number for QEIC\n", __func__);
+               return -EINVAL;
+       }
+
        if (qe_ic_info[hw].mask == 0) {
                printk(KERN_ERR "Can't map reserved IRQ\n");
                return -EINVAL;
@@ -407,7 +412,8 @@ int qe_ic_set_priority(unsigned int virq, unsigned int priority)
 
        if (priority > 8 || priority == 0)
                return -EINVAL;
-       if (src > 127)
+       if (WARN_ONCE(src >= ARRAY_SIZE(qe_ic_info),
+                     "%s: Invalid hw irq number for QEIC\n", __func__))
                return -EINVAL;
        if (qe_ic_info[src].pri_reg == 0)
                return -EINVAL;
@@ -436,6 +442,9 @@ int qe_ic_set_high_priority(unsigned int virq, unsigned int priority, int high)
 
        if (priority > 2 || priority == 0)
                return -EINVAL;
+       if (WARN_ONCE(src >= ARRAY_SIZE(qe_ic_info),
+                     "%s: Invalid hw irq number for QEIC\n", __func__))
+               return -EINVAL;
 
        switch (qe_ic_info[src].pri_reg) {
        case QEIC_CIPZCC: