This is decrementing the pointer, instead of the value stored in the pointer. KASan detects it as an out of bounds reference.
Reported-by: "Berry Cheng 程君(成淼)" <chengmiao...@alibaba-inc.com> Signed-off-by: Dan Carpenter <dan.carpen...@oracle.com> --- This bug predates the start of git. You would think it would have been reported earlier since it looks like a serious bug. I cannot test this so please review carefully. diff --git a/net/irda/irlmp.c b/net/irda/irlmp.c index a26c401..4396459 100644 --- a/net/irda/irlmp.c +++ b/net/irda/irlmp.c @@ -1839,7 +1839,7 @@ static void *irlmp_seq_hb_idx(struct irlmp_iter_state *iter, loff_t *off) for (element = hashbin_get_first(iter->hashbin); element != NULL; element = hashbin_get_next(iter->hashbin)) { - if (!off || *off-- == 0) { + if (!off || (*off)-- == 0) { /* NB: hashbin left locked */ return element; } -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html