powerpc/powernv: Fix the overflow of OPAL message notifiers head array

commit 792f96e9a769b799a2944e9369e4ea1e467135b2 upstream.

Fixes the condition check of incoming message type which can
otherwise shoot beyond the message notifiers head array.

Signed-off-by: Neelesh Gupta <neelegup@linux.vnet.ibm.com>
Reviewed-by: Vasant Hegde <hegdevasant@linux.vnet.ibm.com>
Reviewed-by: Anshuman Khandual <khandual@linux.vnet.ibm.com>
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>

diff --git a/arch/powerpc/platforms/powernv/opal.c b/arch/powerpc/platforms/powernv/opal.c
index 199975613fe99fbbc030e34c205283dbb889f2c8..d5e5794db9893dfb44deaa694e6a7f01c4e78b02 100644 (file)
--- a/arch/powerpc/platforms/powernv/opal.c
+++ b/arch/powerpc/platforms/powernv/opal.c
@@ -286,16 +286,12 @@ void opal_notifier_disable(void)
 int opal_message_notifier_register(enum OpalMessageType msg_type,
                                        struct notifier_block *nb)
 {
-       if (!nb) {
-               pr_warning("%s: Invalid argument (%p)\n",
-                          __func__, nb);
-               return -EINVAL;
-       }
-       if (msg_type > OPAL_MSG_TYPE_MAX) {
-               pr_warning("%s: Invalid message type argument (%d)\n",
+       if (!nb || msg_type >= OPAL_MSG_TYPE_MAX) {
+               pr_warning("%s: Invalid arguments, msg_type:%d\n",
                           __func__, msg_type);
                return -EINVAL;
        }
+
        return atomic_notifier_chain_register(
                                &opal_msg_notifier_head[msg_type], nb);
 }
@@ -332,7 +328,7 @@ static void opal_handle_message(void)
        type = be32_to_cpu(msg.msg_type);
 
        /* Sanity check */
-       if (type > OPAL_MSG_TYPE_MAX) {
+       if (type >= OPAL_MSG_TYPE_MAX) {
                pr_warning("%s: Unknown message type: %u\n", __func__, type);
                return;
        }