From: Jakub Kicinski <jakub.kicinski@netronome.com>
Date: Fri, 26 Jan 2018 19:50:00 -0800
Subject: netdevsim: fix overflow on the error path
Patch-mainline: v4.16-rc1
Git-commit: e029f541039ff0768960ede62b946bcf4a163dec
References: bsc#1109837

Undo loop condition on the error path would cause the i counter
to go below zero, if allocation failure happened with the first
(i.e. 0th) element of the array.

Fixes: 395cacb5f1a0 ("netdevsim: bpf: support fake map offload")
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
Reviewed-by: Simon Horman <simon.horman@netronome.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Thomas Bogendoerfer <tbogendoerfer@suse.de>
---
 drivers/net/netdevsim/bpf.c |    5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

--- a/drivers/net/netdevsim/bpf.c
+++ b/drivers/net/netdevsim/bpf.c
@@ -480,8 +480,7 @@ static int
 nsim_bpf_map_alloc(struct netdevsim *ns, struct bpf_offloaded_map *offmap)
 {
 	struct nsim_bpf_bound_map *nmap;
-	unsigned int i;
-	int err;
+	int i, err;
 
 	if (WARN_ON(offmap->map.map_type != BPF_MAP_TYPE_ARRAY &&
 		    offmap->map.map_type != BPF_MAP_TYPE_HASH))
@@ -518,7 +517,7 @@ nsim_bpf_map_alloc(struct netdevsim *ns,
 	return 0;
 
 err_free:
-	while (--i) {
+	while (--i >= 0) {
 		kfree(nmap->entry[i].key);
 		kfree(nmap->entry[i].value);
 	}