powerpc/powernv: Fix the overflow of OPAL message notifiers head array
authorNeelesh Gupta <neelegup@linux.vnet.ibm.com>
Wed, 11 Feb 2015 06:27:06 +0000 (11:57 +0530)
committerBenjamin Herrenschmidt <benh@kernel.crashing.org>
Wed, 25 Mar 2015 05:53:28 +0000 (16:53 +1100)
Fixes the condition check of incoming message type which can
otherwise shoot beyond the message notifiers head array.

Signed-off-by: Neelesh Gupta <neelegup@linux.vnet.ibm.com>
Reviewed-by: Vasant Hegde <hegdevasant@linux.vnet.ibm.com>
Reviewed-by: Anshuman Khandual <khandual@linux.vnet.ibm.com>
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
arch/powerpc/platforms/powernv/opal.c

index 70a6c14cacb6d40b123881fd73ed25520456c144..b0021ac3e0a8cb9c4edddaff180043394f20c915 100644 (file)
@@ -308,16 +308,12 @@ void opal_notifier_disable(void)
 int opal_message_notifier_register(enum OpalMessageType msg_type,
                                        struct notifier_block *nb)
 {
-       if (!nb) {
-               pr_warning("%s: Invalid argument (%p)\n",
-                          __func__, nb);
-               return -EINVAL;
-       }
-       if (msg_type > OPAL_MSG_TYPE_MAX) {
-               pr_warning("%s: Invalid message type argument (%d)\n",
+       if (!nb || msg_type >= OPAL_MSG_TYPE_MAX) {
+               pr_warning("%s: Invalid arguments, msg_type:%d\n",
                           __func__, msg_type);
                return -EINVAL;
        }
+
        return atomic_notifier_chain_register(
                                &opal_msg_notifier_head[msg_type], nb);
 }
@@ -354,7 +350,7 @@ static void opal_handle_message(void)
        type = be32_to_cpu(msg.msg_type);
 
        /* Sanity check */
-       if (type > OPAL_MSG_TYPE_MAX) {
+       if (type >= OPAL_MSG_TYPE_MAX) {
                pr_warning("%s: Unknown message type: %u\n", __func__, type);
                return;
        }