ACPI: bounds check IRQ to prevent memory corruption

acpi_penalize_isa_irq() should validate irq before using it to
index the acpi_irq_penalty[] table.

Here's the path I'm concerned about:

    pnpacpi_parse_allocated_irqresource()
    {
	...
	irq = acpi_register_gsi(gsi, triggering, polarity);
	if (irq >= 0)
		pcibios_penalize_isa_irq(irq, 1);

There's no guarantee that acpi_register_gsi() will return an IRQ
within the bounds of acpi_irq_penalty[].

I have not seen a failure I can attribute to this.  However,
ACPI_MAX_IRQS is only 256, and I'm pretty sure ia64 can have
IRQs larger than that.

I think this should go in 2.6.27.

Signed-off-by: Bjorn Helgaas <bjorn.helgaas@hp.com>
Signed-off-by: Andi Kleen <ak@linux.intel.com>

1 files changed, 7 insertions, 5 deletions

diff --git a/drivers/acpi/pci_link.c b/drivers/acpi/pci_link.c
index 89f3b2abfdc7..cf47805a7448 100644
--- a/drivers/acpi/pci_link.c
+++ b/drivers/acpi/pci_link.c
@@ -849,7 +849,7 @@ static int __init acpi_irq_penalty_update(char *str, int used)
                 if (irq < 0)
                         continue;
 
-                if (irq >= ACPI_MAX_IRQS)
+                if (irq >= ARRAY_SIZE(acpi_irq_penalty))
                         continue;
 
                 if (used)
@@ -872,10 +872,12 @@ static int __init acpi_irq_penalty_update(char *str, int used)
  */
 void acpi_penalize_isa_irq(int irq, int active)
 {
-        if (active)
-                acpi_irq_penalty[irq] += PIRQ_PENALTY_ISA_USED;
-        else
-                acpi_irq_penalty[irq] += PIRQ_PENALTY_PCI_USING;
+        if (irq >= 0 && irq < ARRAY_SIZE(acpi_irq_penalty)) {
+                if (active)
+                        acpi_irq_penalty[irq] += PIRQ_PENALTY_ISA_USED;
+                else
+                        acpi_irq_penalty[irq] += PIRQ_PENALTY_PCI_USING;
+        }
 }
 
 /*