net: wwan: iosm: Fix tainted pointer delete is case of region creation fail

PlaidCat · PlaidCat · commit fbc3c8918073 · 2024-09-12T13:28:07.000-04:00
jira LE-1907 cve CVE-2024-40939 Rebuild_History Non-Buildable kernel-5.14.0-427.33.1.el9_4 commit-author Aleksandr Mishin <amishin@t-argos.ru> commit b0c9a26 In case of region creation fail in ipc_devlink_create_region(), previously created regions delete process starts from tainted pointer which actually holds error code value. Fix this bug by decreasing region index before delete. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: 4dcd183 ("net: wwan: iosm: devlink registration") Signed-off-by: Aleksandr Mishin <amishin@t-argos.ru> Acked-by: Sergey Ryazanov <ryazanov.s.a@gmail.com> Reviewed-by: Simon Horman <horms@kernel.org> Link: https://lore.kernel.org/r/20240604082500.20769-1-amishin@t-argos.ru Signed-off-by: Paolo Abeni <pabeni@redhat.com> (cherry picked from commit b0c9a26) Signed-off-by: Jonathan Maple <jmaple@ciq.com>
diff --git a/drivers/net/wwan/iosm/iosm_ipc_devlink.c b/drivers/net/wwan/iosm/iosm_ipc_devlink.c
@@ -210,7 +210,7 @@ static int ipc_devlink_create_region(struct iosm_devlink *devlink)
 			rc = PTR_ERR(devlink->cd_regions[i]);
 			dev_err(devlink->dev, "Devlink region fail,err %d", rc);
 			/* Delete previously created regions */
-			for ( ; i >= 0; i--)
+			for (i--; i >= 0; i--)
 				devlink_region_destroy(devlink->cd_regions[i]);
 			goto region_create_fail;
 		}

Original file line number	Diff line number	Diff line change
`@@ -210,7 +210,7 @@ static int ipc_devlink_create_region(struct iosm_devlink *devlink)`
`210`	`210`	`rc = PTR_ERR(devlink->cd_regions[i]);`
`211`	`211`	`dev_err(devlink->dev, "Devlink region fail,err %d", rc);`
`212`	`212`	`/* Delete previously created regions */`
`213`		`- for ( ; i >= 0; i--)`
	`213`	`+ for (i--; i >= 0; i--)`
`214`	`214`	`devlink_region_destroy(devlink->cd_regions[i]);`
`215`	`215`	`goto region_create_fail;`
`216`	`216`	`}`