irda: precedence bug in irlmp_seq_hb_idx()

[ Upstream commit 50010c20597d14667eff0fdb628309986f195230 ] This is decrementing the pointer, instead of the value stored in the pointer. KASan detects it as an out of bounds reference. Reported-by: "Berry Cheng 程君(成淼)" <chengmiao.cj@alibaba-inc.com> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
author: Dan Carpenter <dan.carpenter@oracle.com> 2015-10-19 13:16:49 +0300
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2015-12-09 14:03:10 -0500
commit: 1c98797fc8ff4cf4122a98cd7365c25c598c090e (patch)
tree: f371eadf96ad73734d954bb05dfbb57aa9a04465 /net
parent: 1f2ce4a2e7aea3a2123b17aff62a80553df31e21 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/net/irda/irlmp.c b/net/irda/irlmp.c
index a26c401ef4a4..43964594aa12 100644
--- a/net/irda/irlmp.c
+++ b/net/irda/irlmp.c
@@ -1839,7 +1839,7 @@ static void *irlmp_seq_hb_idx(struct irlmp_iter_state *iter, loff_t *off)
 	for (element = hashbin_get_first(iter->hashbin);
 	     element != NULL;
 	     element = hashbin_get_next(iter->hashbin)) {
-		if (!off || *off-- == 0) {
+		if (!off || (*off)-- == 0) {
 			/* NB: hashbin left locked */
 			return element;
 		}
author	Dan Carpenter <dan.carpenter@oracle.com>	2015-10-19 13:16:49 +0300
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2015-12-09 14:03:10 -0500
commit	1c98797fc8ff4cf4122a98cd7365c25c598c090e (patch)
tree	f371eadf96ad73734d954bb05dfbb57aa9a04465 /net
parent	1f2ce4a2e7aea3a2123b17aff62a80553df31e21 (diff)