From: Dan Carpenter <dan.carpenter@oracle.com>
Date: Mon, 19 Oct 2015 10:16:49 +0000 (+0300)
Subject: irda: precedence bug in irlmp_seq_hb_idx()
X-Git-Tag: firefly_0821_release~176^2~865^2~49
X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=50010c20597d14667eff0fdb628309986f195230;p=firefly-linux-kernel-4.4.55.git

irda: precedence bug in irlmp_seq_hb_idx()

This is decrementing the pointer, instead of the value stored in the
pointer.  KASan detects it as an out of bounds reference.

Reported-by: "Berry Cheng 程君(成淼)" <chengmiao.cj@alibaba-inc.com>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
---

diff --git a/net/irda/irlmp.c b/net/irda/irlmp.c
index a26c401ef4a4..43964594aa12 100644
--- a/net/irda/irlmp.c
+++ b/net/irda/irlmp.c
@@ -1839,7 +1839,7 @@ static void *irlmp_seq_hb_idx(struct irlmp_iter_state *iter, loff_t *off)
 	for (element = hashbin_get_first(iter->hashbin);
 	     element != NULL;
 	     element = hashbin_get_next(iter->hashbin)) {
-		if (!off || *off-- == 0) {
+		if (!off || (*off)-- == 0) {
 			/* NB: hashbin left locked */
 			return element;
 		}