drm/xe/rtp: Fix out-of-bounds array access

Increment the counter before checking for number of rules, otherwise
when there's no XE_RTP_MATCH_OR an out-of-bounds access is done, as
reported by kasan:

	BUG: KASAN: global-out-of-bounds in rule_matches+0xb6d/0x11c0 [xe]
	Read of size 1 at addr ffffffffa0a50b70 by task systemd-udevd/243

Fixes: dc72c52a42e0 ("drm/xe/rtp: Allow to OR rules")
Cc: Mika Kuoppala <mika.kuoppala@linux.intel.com>
Reviewed-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
Reviewed-by: Nirmoy Das <nirmoy.das@intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20240628161726.836734-1-lucas.demarchi@intel.com
Signed-off-by: Lucas De Marchi <lucas.demarchi@intel.com>

diff --git a/drivers/gpu/drm/xe/xe_rtp.c b/drivers/gpu/drm/xe/xe_rtp.c
index 5b27f7c45ea328cd0fecaf2812fcb3d686ce12e7..02e28274282f9330b9d27e87d3bde55d01fafc75 100644 (file)
--- a/drivers/gpu/drm/xe/xe_rtp.c
+++ b/drivers/gpu/drm/xe/xe_rtp.c
@@ -121,7 +121,7 @@ static bool rule_matches(const struct xe_device *xe,
                         * Advance rules until we find XE_RTP_MATCH_OR to check
                         * if there's another set of conditions to check
                         */
-                       while (i < n_rules && rules[++i].match_type != XE_RTP_MATCH_OR)
+                       while (++i < n_rules && rules[i].match_type != XE_RTP_MATCH_OR)
                                ;
 
                        if (i >= n_rules)