[PATCH 1/2] irqchip: crossbar: Fix out-of-bounds access in crossbar_domain_free()
From: Bhargav Joshi
Date: Tue Jun 09 2026 - 17:01:08 EST
crossbar_domain_free() uses 'd->hwirq' (crossbar source index which can
go up to 0 to 399) as the index for cb->irq_map and cb->write(), rather
than the GIC SPI index. This can cause out of out-of-bounds write. but
irq_domain_reset_irq_data() which zeros d->hwirq is called before
d->hwirq is read. subsequent accesses use hwirq=0 which is always
in-bounds but writes to the wrong slot.
Fix this by using the GIC SPI index from the parent domain's irq_data,
moving the reset after cleanup.
Fixes: 783d31863fb82 ("irqchip: crossbar: Convert dra7 crossbar to stacked domains")
Signed-off-by: Bhargav Joshi <j.bhargav.u@xxxxxxxxx>
---
drivers/irqchip/irq-crossbar.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/irqchip/irq-crossbar.c b/drivers/irqchip/irq-crossbar.c
index cd1134101ace..6a4718be0c58 100644
--- a/drivers/irqchip/irq-crossbar.c
+++ b/drivers/irqchip/irq-crossbar.c
@@ -158,9 +158,9 @@ static void crossbar_domain_free(struct irq_domain *domain, unsigned int virq,
for (i = 0; i < nr_irqs; i++) {
struct irq_data *d = irq_domain_get_irq_data(domain, virq + i);
+ cb->irq_map[d->parent_data->hwirq - GIC_IRQ_START] = IRQ_FREE;
+ cb->write(d->parent_data->hwirq - GIC_IRQ_START, cb->safe_map);
irq_domain_reset_irq_data(d);
- cb->irq_map[d->hwirq] = IRQ_FREE;
- cb->write(d->hwirq, cb->safe_map);
}
raw_spin_unlock(&cb->lock);
}
--
2.54.0