Received: by 2002:a05:6a10:eb17:0:0:0:0 with SMTP id hx23csp1091899pxb;
        Thu, 9 Sep 2021 20:28:23 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJzeoqxmEPj8en9SOn8WEgL9j4Mr+ldpCIiHI/6j+BFY2nGwpD9DoUMnkTvrpnYJFJlbUzvY
X-Received: by 2002:aa7:dcc2:: with SMTP id w2mr6680938edu.192.1631244503117;
        Thu, 09 Sep 2021 20:28:23 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1631244503; cv=none;
        d=google.com; s=arc-20160816;
        b=WOgPsBW+1obOtxsUV8v/QTZYC+iXeUsS832IIwgXYo5vd5AgtmEsMbC1SCc7JLbix9
         VSjeBN2WeAf5C0MIRUtFtKXBpmSY9pBHrUm72PUxRqwPY2MXON01QtA0kS6Zs/s/yxKL
         N/AdBdzWh6TiDfpXh7azlrvv/Y0ydWtRR3p4sJH0RyOtdU0Xkh8Bf0BJhqPfAwMMCaDF
         9tnoEiPia1EGgylNQEnbocrwSTkbed7n5S+lzbNB8bomeSKI4378NZq+8e8POSmTycXE
         ReR9aD5dnHU0v+dxa0L3AiV5PLRoujVL5SusblB4zAF/c4nbF4laXMtceuxiCV1+Yqgf
         agZw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:message-id:date:subject:cc:to:from;
        bh=kZzM4X4GVnSZDvZeo3Rnoy8OpQeP6tojg/gJFYr/Hng=;
        b=f5vCXp7rnnJONBA04fgo4oq/syhUnByGyknLq8Jp5tyJydtGkSGM1KgO7zSaEqkJVj
         ULeOpWXT+/jbxgpKCVHQ8iuDVMWO4N+R7hvnr0EalTTsQdsyWmpJP3MHw40sGuDwj6cv
         blw7qRyyOIcm1qzACECsdRkWCj9ilg3s1ydR9wJZlJR2sFEMx9Ux1SPt5D6W+2GQODwx
         qgKGyFRG1Gs64L+lUKBPSkqpkrfa2StUTZy8OXnO5iABUc9sanbS+nQc+IUd/4mjsyz+
         ddTp6lqh/vdqMTXGOyGiEzGwdeNfkWVPSHnx6sKqT4lzt08jPCp0hOZWh6Q2FFP20+cp
         lm4A==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id a22si3718767edu.602.2021.09.09.20.27.59;
        Thu, 09 Sep 2021 20:28:23 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S229972AbhIJD1q (ORCPT <rfc822;li.zhiang.cn@gmail.com>
        + 99 others); Thu, 9 Sep 2021 23:27:46 -0400
Received: from smtp25.cstnet.cn ([159.226.251.25]:35878 "EHLO cstnet.cn"
        rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP
        id S229461AbhIJD1n (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 9 Sep 2021 23:27:43 -0400
Received: from localhost.localdomain (unknown [124.16.138.128])
        by APP-05 (Coremail) with SMTP id zQCowACHaaJV0Dph4vkNAA--.29783S2;
        Fri, 10 Sep 2021 11:26:13 +0800 (CST)
From:   Jiang Jiasheng <jiasheng@iscas.ac.cn>
To:     tglx@linutronix.de
Cc:     linux-kernel@vger.kernel.org, Jiang Jiasheng <jiasheng@iscas.ac.cn>
Subject: [PATCH 6/6] irq: Potentially 'offset out of size' bug
Date:   Fri, 10 Sep 2021 03:26:12 +0000
Message-Id: <1631244372-1817960-1-git-send-email-jiasheng@iscas.ac.cn>
X-Mailer: git-send-email 2.7.4
X-CM-TRANSID: zQCowACHaaJV0Dph4vkNAA--.29783S2
X-Coremail-Antispam: 1UD129KBjvdXoW7JFy3JFWkuFykGF13ArW5Jrb_yoW3GrX_Gr
        9YyF1DWr48JryrAw4rtw4xAF1jy348AF48uw1Syay5J390vFn3Aw43XFZ0krsxXrWxAw1x
        A34Y9FW3tr4I9jkaLaAFLSUrUUUUUb8apTn2vfkv8UJUUUU8Yxn0WfASr-VFAUDa7-sFnT
        9fnUUIcSsGvfJTRUUUbckFF20E14v26r1j6r4UM7CY07I20VC2zVCF04k26cxKx2IYs7xG
        6rWj6s0DM7CIcVAFz4kK6r1j6r18M28lY4IEw2IIxxk0rwA2F7IY1VAKz4vEj48ve4kI8w
        A2z4x0Y4vE2Ix0cI8IcVAFwI0_Xr0_Ar1l84ACjcxK6xIIjxv20xvEc7CjxVAFwI0_Gr0_
        Cr1l84ACjcxK6I8E87Iv67AKxVW8Jr0_Cr1UM28EF7xvwVC2z280aVCY1x0267AKxVWxJr
        0_GcWle2I262IYc4CY6c8Ij28IcVAaY2xG8wAqx4xG64xvF2IEw4CE5I8CrVC2j2WlYx0E
        2Ix0cI8IcVAFwI0_Jr0_Jr4lYx0Ex4A2jsIE14v26r1j6r4UMcvjeVCFs4IE7xkEbVWUJV
        W8JwACjcxG0xvY0x0EwIxGrwACjI8F5VA0II8E6IAqYI8I648v4I1lc2xSY4AK67AK6r48
        MxAIw28IcxkI7VAKI48JMxC20s026xCaFVCjc4AY6r1j6r4UMI8I3I0E5I8CrVAFwI0_Jr
        0_Jr4lx2IqxVCjr7xvwVAFwI0_JrI_JrWlx4CE17CEb7AF67AKxVWUXVWUAwCIc40Y0x0E
        wIxGrwCI42IY6xIIjxv20xvE14v26r1j6r1xMIIF0xvE2Ix0cI8IcVCY1x0267AKxVWUJV
        W8JwCI42IY6xAIw20EY4v20xvaj40_WFyUJVCq3wCI42IY6I8E87Iv67AKxVWUJVW8JwCI
        42IY6I8E87Iv6xkF7I0E14v26r1j6r4UYxBIdaVFxhVjvjDU0xZFpf9x0JU2FALUUUUU=
X-Originating-IP: [124.16.138.128]
X-CM-SenderInfo: pmld2xxhqjqxpvfd2hldfou0/
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

The find_next_bit() use nr_irqs as size, and using it without
any check might cause its returned value out of the size

Signed-off-by: Jiang Jiasheng <jiasheng@iscas.ac.cn>
---
 kernel/irq/irqdesc.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/kernel/irq/irqdesc.c b/kernel/irq/irqdesc.c
index 4a617d73..5bb310a 100644
--- a/kernel/irq/irqdesc.c
+++ b/kernel/irq/irqdesc.c
@@ -820,7 +820,8 @@ EXPORT_SYMBOL_GPL(__irq_alloc_descs);
  */
 unsigned int irq_get_next_irq(unsigned int offset)
 {
-	return find_next_bit(allocated_irqs, nr_irqs, offset);
+	offset = find_next_bit(allocated_irqs, nr_irqs, offset);
+	return offset < nr_irqs ? offset : nr_irqs;
 }
 
 struct irq_desc *
-- 
2.7.4