powerpc/powernv/npu: Check mmio_atsd array bounds when populating

A broken device tree might contain more than 8 values and introduce hard
to debug memory corruption bug. This adds the boundary check.

Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>

diff --git a/arch/powerpc/platforms/powernv/npu-dma.c b/arch/powerpc/platforms/powernv/npu-dma.c
index 44f47195993241284fd2010f9a80a9bf574959d3..b713727663e26e7469484b6027d198500a11e3f6 100644 (file)
--- a/arch/powerpc/platforms/powernv/npu-dma.c
+++ b/arch/powerpc/platforms/powernv/npu-dma.c
@@ -1178,8 +1178,9 @@ int pnv_npu2_init(struct pci_controller *hose)
 
        npu->nmmu_flush = of_property_read_bool(hose->dn, "ibm,nmmu-flush");
 
-       for (i = 0; !of_property_read_u64_index(hose->dn, "ibm,mmio-atsd",
-                                                       i, &mmio_atsd); i++)
+       for (i = 0; i < ARRAY_SIZE(npu->mmio_atsd_regs) &&
+                       !of_property_read_u64_index(hose->dn, "ibm,mmio-atsd",
+                               i, &mmio_atsd); i++)
                npu->mmio_atsd_regs[i] = ioremap(mmio_atsd, 32);
 
        pr_info("NPU%d: Found %d MMIO ATSD registers", hose->global_number, i);