net: dsa: sja1105: fix buffer overflow in sja1105_setup_devlink_regions()
authorRustam Subkhankulov <subkhankulov@ispras.ru>
Wed, 17 Aug 2022 00:38:45 +0000 (03:38 +0300)
committerJakub Kicinski <kuba@kernel.org>
Thu, 18 Aug 2022 04:58:15 +0000 (21:58 -0700)
If an error occurs in dsa_devlink_region_create(), then 'priv->regions'
array will be accessed by negative index '-1'.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Signed-off-by: Rustam Subkhankulov <subkhankulov@ispras.ru>
Fixes: bf425b82059e ("net: dsa: sja1105: expose static config as devlink region")
Link: https://lore.kernel.org/r/20220817003845.389644-1-subkhankulov@ispras.ru
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
drivers/net/dsa/sja1105/sja1105_devlink.c

index 0569ff066634dee718bfbc7e1b2b40c45bc080aa..10c6fea1227fa698fe8c5a261fb678eb88165f16 100644 (file)
@@ -93,7 +93,7 @@ static int sja1105_setup_devlink_regions(struct dsa_switch *ds)
 
                region = dsa_devlink_region_create(ds, ops, 1, size);
                if (IS_ERR(region)) {
-                       while (i-- >= 0)
+                       while (--i >= 0)
                                dsa_devlink_region_destroy(priv->regions[i]);
                        return PTR_ERR(region);
                }