soundwire: fix bug in sdw_add_element_group_count found by syzkaller

The original implementation caused an out-of-bounds memory access
in the sdw_add_element_group_count for-loop when i == num.

for (i = 0; i <= num; i++) {
    if (rate == group->rates[i] && lane == group->lanes[i])
        ...

To fix this error, the function now checks for existing rate/lane
entries in the group(a function parameter) using a for-loop before
adding them.

No functional changes apart from this fix.

Fixes: 9026118f20e2 ("soundwire: Add generic bandwidth allocation algorithm")
Reviewed-by: Bard Liao <yung-chuan.liao@linux.intel.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Signed-off-by: Baoli.Zhang <baoli.zhang@linux.intel.com>
Link: https://patch.msgid.link/20260506055039.3751028-2-baoli.zhang@linux.intel.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>

diff --git a/drivers/soundwire/generic_bandwidth_allocation.c b/drivers/soundwire/generic_bandwidth_allocation.c
index fb3970e12dac9c3bb74a3165e67e10376eea5619..f016ad088a1db0ebda9c9687a8067dec353ddad6 100644 (file)
--- a/drivers/soundwire/generic_bandwidth_allocation.c
+++ b/drivers/soundwire/generic_bandwidth_allocation.c
@@ -299,39 +299,36 @@ static int sdw_add_element_group_count(struct sdw_group *group,
        int num = group->count;
        int i;
 
-       for (i = 0; i <= num; i++) {
+       for (i = 0; i < num; i++) {
                if (rate == group->rates[i] && lane == group->lanes[i])
-                       break;
-
-               if (i != num)
-                       continue;
-
-               if (group->count >= group->max_size) {
-                       unsigned int *rates;
-                       unsigned int *lanes;
+                       return 0;
+       }
 
-                       group->max_size += 1;
-                       rates = krealloc(group->rates,
-                                        (sizeof(int) * group->max_size),
-                                        GFP_KERNEL);
-                       if (!rates)
-                               return -ENOMEM;
+       if (group->count >= group->max_size) {
+               unsigned int *rates;
+               unsigned int *lanes;
 
-                       group->rates = rates;
+               group->max_size += 1;
+               rates = krealloc(group->rates,
+                                (sizeof(int) * group->max_size),
+                                GFP_KERNEL);
+               if (!rates)
+                       return -ENOMEM;
 
-                       lanes = krealloc(group->lanes,
-                                        (sizeof(int) * group->max_size),
-                                        GFP_KERNEL);
-                       if (!lanes)
-                               return -ENOMEM;
+               group->rates = rates;
 
-                       group->lanes = lanes;
-               }
+               lanes = krealloc(group->lanes,
+                                (sizeof(int) * group->max_size),
+                                GFP_KERNEL);
+               if (!lanes)
+                       return -ENOMEM;
 
-               group->rates[group->count] = rate;
-               group->lanes[group->count++] = lane;
+               group->lanes = lanes;
        }
 
+       group->rates[group->count] = rate;
+       group->lanes[group->count++] = lane;
+
        return 0;
 }