MIPS: GIC: Prevent array overrun

A GIC interrupt which is declared as having a GIC_MAP_TO_NMI_MSK
mapping causes the cpu parameter to gic_setup_intr() to be increased
to 32, causing memory corruption when pcpu_masks[] is written to again
later in the function.

Signed-off-by: Jeffrey Deans <jeffrey.deans@imgtec.com>
Signed-off-by: Markos Chandras <markos.chandras@imgtec.com>
Cc: stable@vger.kernel.org
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/7375/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>

1 files changed, 4 insertions, 2 deletions

diff --git a/arch/mips/kernel/irq-gic.c b/arch/mips/kernel/irq-gic.c
index 88e4c323382c..d5e59b8f4863 100644
--- a/arch/mips/kernel/irq-gic.c
+++ b/arch/mips/kernel/irq-gic.c
@@ -269,11 +269,13 @@ static void __init gic_setup_intr(unsigned int intr, unsigned int cpu,
 
         /* Setup Intr to Pin mapping */
         if (pin & GIC_MAP_TO_NMI_MSK) {
+                int i;
+
                 GICWRITE(GIC_REG_ADDR(SHARED, GIC_SH_MAP_TO_PIN(intr)), pin);
                 /* FIXME: hack to route NMI to all cpu's */
-                for (cpu = 0; cpu < NR_CPUS; cpu += 32) {
+                for (i = 0; i < NR_CPUS; i += 32) {
                         GICWRITE(GIC_REG_ADDR(SHARED,
-                                          GIC_SH_MAP_TO_VPE_REG_OFF(intr, cpu)),
+                                          GIC_SH_MAP_TO_VPE_REG_OFF(intr, i)),
                                  0xffffffff);
                 }
         } else {