From: Colin Ian King <colin.king@canonical.com>
Date: Thu, 22 Jun 2017 17:27:21 +0000 (-0300)
Subject: media: venus: fix loop wrap in cleanup of clks
X-Git-Tag: v4.13-rc4~5^2~61
X-Git-Url: https://asedeno.scripts.mit.edu/gitweb/?a=commitdiff_plain;h=bc8e2d627a5888c48d553abe534c341c1c096a5e;p=linux.git

media: venus: fix loop wrap in cleanup of clks

The current pre-decrement is incorrect and should be replaced
with a post-decrement. Consider the case where the very first
clk_prepare_enable fails when i is 0; in this case the error
clean up will decrement the unsigned int which wraps to the
largest unsigned int value causing an array out of bounds read
on core->clks[i].

Detected by CoverityScan, CID#1446590 ("Out-of-bounds read")

Signed-off-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: Hans Verkuil <hansverk@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
---

diff --git a/drivers/media/platform/qcom/venus/core.c b/drivers/media/platform/qcom/venus/core.c
index 776d2bae6979..d8cbe8549d97 100644
--- a/drivers/media/platform/qcom/venus/core.c
+++ b/drivers/media/platform/qcom/venus/core.c
@@ -137,7 +137,7 @@ static int venus_clks_enable(struct venus_core *core)
 
 	return 0;
 err:
-	while (--i)
+	while (i--)
 		clk_disable_unprepare(core->clks[i]);
 
 	return ret;