From: Zijun Hu <quic_zijuhu@xxxxxxxxxxx> commit fec3edc47d5cfc2dd296a5141df887bf567944db upstream. On a malformed interrupt-map property which is shorter than expected by 1 cell, we may read bogus data past the end of the property instead of returning an error in of_irq_parse_imap_parent(). Decrement the remaining length when skipping over the interrupt parent phandle cell. Fixes: 935df1bd40d4 ("of/irq: Factor out parsing of interrupt-map parent phandle+args from of_irq_parse_raw()") Cc: stable@xxxxxxxxxxxxxxx Signed-off-by: Zijun Hu <quic_zijuhu@xxxxxxxxxxx> Link: https://lore.kernel.org/r/20241209-of_irq_fix-v1-1-782f1419c8a1@xxxxxxxxxxx [rh: reword commit msg] Signed-off-by: Rob Herring (Arm) <robh@xxxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- drivers/of/irq.c | 1 + 1 file changed, 1 insertion(+) --- a/drivers/of/irq.c +++ b/drivers/of/irq.c @@ -111,6 +111,7 @@ const __be32 *of_irq_parse_imap_parent(c else np = of_find_node_by_phandle(be32_to_cpup(imap)); imap++; + len--; /* Check if not found */ if (!np) { Patches currently in stable-queue which might be from quic_zijuhu@xxxxxxxxxxx are queue-6.12/of-irq-fix-using-uninitialized-variable-addr_len-in-api-of_irq_parse_one.patch queue-6.12/of-fix-refcount-leakage-for-of-node-returned-by-__of_get_dma_parent.patch queue-6.12/of-irq-fix-interrupt-map-cell-length-check-in-of_irq_parse_imap_parent.patch