6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zijun Hu <quic_zijuhu@xxxxxxxxxxx>
commit fec3edc47d5cfc2dd296a5141df887bf567944db upstream.
On a malformed interrupt-map property which is shorter than expected by
1 cell, we may read bogus data past the end of the property instead of
returning an error in of_irq_parse_imap_parent().
Decrement the remaining length when skipping over the interrupt parent
phandle cell.
Fixes: 935df1bd40d4 ("of/irq: Factor out parsing of interrupt-map parent phandle+args from of_irq_parse_raw()")
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Zijun Hu <quic_zijuhu@xxxxxxxxxxx>
Link: https://lore.kernel.org/r/20241209-of_irq_fix-v1-1-782f1419c8a1@xxxxxxxxxxx
[rh: reword commit msg]
Signed-off-by: Rob Herring (Arm) <robh@xxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
drivers/of/irq.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/of/irq.c b/drivers/of/irq.c
index 67fc0ceaa5f5..43cf60479b9e 100644
--- a/drivers/of/irq.c
+++ b/drivers/of/irq.c
@@ -111,6 +111,7 @@ const __be32 *of_irq_parse_imap_parent(const __be32 *imap, int len, struct of_ph
else
np = of_find_node_by_phandle(be32_to_cpup(imap));
imap++;
+ len--;
/* Check if not found */
if (!np) {
--
2.47.1
