[patch] irda: precedence bug in irlmp_seq_hb_idx()

[patch] irda: precedence bug in irlmp_seq_hb_idx()

[Dan Carpenter]

This is decrementing the pointer, instead of the value stored in the
pointer.  KASan detects it as an out of bounds reference.

Reported-by: "Berry Cheng 程君(成淼)" <chengmiao.cj@alibaba-inc.com>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
This bug predates the start of git.  You would think it would have been
reported earlier since it looks like a serious bug.  I cannot test this
so please review carefully.

diff --git a/net/irda/irlmp.c b/net/irda/irlmp.c
index a26c401..4396459 100644
--- a/net/irda/irlmp.c
+++ b/net/irda/irlmp.c
@@ -1839,7 +1839,7 @@ static void *irlmp_seq_hb_idx(struct irlmp_iter_state *iter, loff_t *off)
 	for (element = hashbin_get_first(iter->hashbin);
 	     element != NULL;
 	     element = hashbin_get_next(iter->hashbin)) {
-		if (!off || *off-- == 0) {
+		if (!off || (*off)-- == 0) {
 			/* NB: hashbin left locked */
 			return element;
 		}

Re: [patch] irda: precedence bug in irlmp_seq_hb_idx()

[David Miller]

From: Dan Carpenter <dan.carpenter@oracle.com>
Date: Mon, 19 Oct 2015 13:16:49 +0300

> This is decrementing the pointer, instead of the value stored in the
> pointer.  KASan detects it as an out of bounds reference.
> 
> Reported-by: "Berry Cheng 程君(成淼)" <chengmiao.cj@alibaba-inc.com>
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>

Applied and queued up for -stable, thanks.