stm32mp: fix various array bounds checks

In all these cases, the index on the LHS is immediately afterwards
used to access the array appearing in the ARRAY_SIZE() on the RHS - so
if that index is equal to the array size, we'll access
one-past-the-end of the array.

Signed-off-by: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
Reviewed-by: Patrick Delaunay <patrick.delaunay@foss.st.com>

arch/arm/mach-stm32mp/cpu.c

@@ -190,7 +190,7 @@ static void setup_boot_mode(void)
 		  __func__, boot_ctx, boot_mode, instance, forced_mode);
 	switch (boot_mode & TAMP_BOOT_DEVICE_MASK) {
 	case BOOT_SERIAL_UART:
-		if (instance > ARRAY_SIZE(serial_addr))
+		if (instance >= ARRAY_SIZE(serial_addr))
 			break;
 		/* serial : search associated node in devicetree */
 		sprintf(cmd, "serial@%x", serial_addr[instance]);
@@ -220,7 +220,7 @@ static void setup_boot_mode(void)
 		break;
 	case BOOT_FLASH_SD:
 	case BOOT_FLASH_EMMC:
-		if (instance > ARRAY_SIZE(sdmmc_addr))
+		if (instance >= ARRAY_SIZE(sdmmc_addr))
 			break;
 		/* search associated sdmmc node in devicetree */
 		sprintf(cmd, "mmc@%x", sdmmc_addr[instance]);

board/st/stm32mp1/stm32mp1.c

@@ -872,7 +872,7 @@ int mmc_get_boot(void)
 		STM32_SDMMC3_BASE
 	};
 
-	if (instance > ARRAY_SIZE(sdmmc_addr))
+	if (instance >= ARRAY_SIZE(sdmmc_addr))
 		return 0;
 
 	/* search associated sdmmc node in devicetree */

drivers/ram/stm32mp1/stm32mp1_interactive.c

@@ -391,7 +391,7 @@ bool stm32mp1_ddr_interactive(void *priv,
 	if (next_step < 0)
 		return false;
 
-	if (step < 0 || step > ARRAY_SIZE(step_str)) {
+	if (step < 0 || step >= ARRAY_SIZE(step_str)) {
 		printf("** step %d ** INVALID\n", step);
 		return false;
 	}