Received: by 2002:a05:6a10:f3d0:0:0:0:0 with SMTP id a16csp225411pxv; Thu, 8 Jul 2021 00:50:27 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzYxcAkjklrSsxP4uIiOewz1xeEs5V5ghfQ72IJo4NnY/ya/sPsHulRIXnhqXdMFRRGLDiO X-Received: by 2002:aa7:cb9a:: with SMTP id r26mr37104686edt.78.1625730627744; Thu, 08 Jul 2021 00:50:27 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1625730627; cv=none; d=google.com; s=arc-20160816; b=HBaB+Td+NF7nb57Cn4gzoZVZCBeKs8mE3dut6UJg66AkN9hFUQR99ReoqzTNjWzGse upjET4msOUzxkK3/lGkFKh0Ni5kzLey80aZQnEWaCBoAvObuOpiG6VOhv1iPEC7uvvFV iFMXEoK00jR0Sf8K4VwO68NFsTLXd2WtYgp4RERNuRjG4WpWVj9B8uzLKglaObPbejxS v6D44qC6VtFaXr2vF5RqhRGJl1zmzD/h77BIj98vU8Ez5gDVHDGKAEsfnRtIC2tDCH/w baE5G0JpvQdqzWQvcwqGIBYfzyh2V9ob9ToUuk7XrOBkGH16emop14/kD/Kg6xmZoH34 XGPg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=c8iN/XWCuVrPGPxQXlhQ1efb/+eXkhGD1kjrilkU3eE=; b=c3pxizBARR+Br99OtiRhjY2j/z1cF/lcrja2wmQ+A9q+O2CR7K4LfFJs7mtcNZsSUw TRCRLzR9jbAGEJIEZVvpKRCAYtFX4JAihUYqG1co3nZLcoi4vMjtJ9mcxyi65oYjiKcu bUfHk3sIIZZiII2k/SktubVrw8orLjmj4xpqrTQDFHK+hssvDVypj/6zu0r62e7TDKLZ DiIIcWPonVAOGGmv17w5g7Wx5lQSQkjaEJk877ryCGc6ehrcrVEBY2Zrrd5HrAh05KfS 5hVOyW29XELULJYiIw+ZeozJmRDdgnORO5rH7U3K4PTgFAlNGvlPvp4H2hFa6KJlDQQI wuwQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2020-01-29 header.b=NYvbx7xh; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id cw13si1973479ejc.195.2021.07.08.00.50.04; Thu, 08 Jul 2021 00:50:27 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2020-01-29 header.b=NYvbx7xh; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230467AbhGHHtj (ORCPT + 99 others); Thu, 8 Jul 2021 03:49:39 -0400 Received: from mx0b-00069f02.pphosted.com ([205.220.177.32]:28710 "EHLO mx0b-00069f02.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229851AbhGHHti (ORCPT ); Thu, 8 Jul 2021 03:49:38 -0400 Received: from pps.filterd (m0246631.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 1687kiOL005579; Thu, 8 Jul 2021 07:46:54 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : mime-version : content-transfer-encoding; s=corp-2020-01-29; bh=c8iN/XWCuVrPGPxQXlhQ1efb/+eXkhGD1kjrilkU3eE=; b=NYvbx7xhH3p/ovJk7fDW1NvmzNgHwe6nU5jLfKUh5oUanLfkZZjD0QLN2cZELvvXWHon gbRlxqoZ8KPIwQ00eXG9AbijkLwYprPGXJ5wngs+G5FbDKDA5BjEniNhEQzIQrwJ+RtV WYCAfa5+oxqIrt8AnhS6uoFHiJRmUIsfh16IBwuIn2uyU0a8U/OolQ9y5EULYfB6fK31 rML7bmuwtWGCMP+PhTkutHUF5u8wJNGvEdgUHgzGr374pdu4liJuY++sSX4W+sNz6TXt 4LhF714pecrC2scNYneHaVrTtKsNvGkFFX+DvNP3s8vWSpaB6stJXV3CR8vIBpiWIzUQ 9g== Received: from userp3030.oracle.com (userp3030.oracle.com [156.151.31.80]) by mx0b-00069f02.pphosted.com with ESMTP id 39npwbrfws-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 08 Jul 2021 07:46:54 +0000 Received: from pps.filterd (userp3030.oracle.com [127.0.0.1]) by userp3030.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 1687kCOC066489; Thu, 8 Jul 2021 07:46:53 GMT Received: from pps.reinject (localhost [127.0.0.1]) by userp3030.oracle.com with ESMTP id 39jd1502ek-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 08 Jul 2021 07:46:53 +0000 Received: from userp3030.oracle.com (userp3030.oracle.com [127.0.0.1]) by pps.reinject (8.16.0.36/8.16.0.36) with SMTP id 1687kB6E066348; Thu, 8 Jul 2021 07:46:52 GMT Received: from manjaro.in.oracle.com (dhcp-10-191-197-186.vpn.oracle.com [10.191.197.186]) by userp3030.oracle.com with ESMTP id 39jd1502bg-1; Thu, 08 Jul 2021 07:46:52 +0000 From: Harshvardhan Jha To: kashyap.desai@broadcom.com Cc: sumit.saxena@broadcom.com, shivasharan.srikanteshwara@broadcom.com, jejb@linux.ibm.com, martin.petersen@oracle.com, megaraidlinux.pdl@broadcom.com, linux-scsi@vger.kernel.org, linux-kernel@vger.kernel.org, dan.carpenter@oracle.com, Harshvardhan Jha Subject: [PATCH] scsi: megaraid_mm: Fix end of loop tests for list_for_each_entry Date: Thu, 8 Jul 2021 13:16:42 +0530 Message-Id: <20210708074642.23599-1-harshvardhan.jha@oracle.com> X-Mailer: git-send-email 2.32.0 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Proofpoint-GUID: coJ31HP0X3f8TOM6dViEqz-tTIkzH06T X-Proofpoint-ORIG-GUID: coJ31HP0X3f8TOM6dViEqz-tTIkzH06T Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org The list_for_each_entry() iterator, "adapter" in this code, can never be NULL. If we exit the loop without finding the correct adapter then "adapter" points invalid memory that is an offset from the list head. This will eventually lead to memory corruption and presumably a kernel crash. Signed-off-by: Harshvardhan Jha --- From static analysis. Not tested. --- drivers/scsi/megaraid/megaraid_mm.c | 21 +++++++++++++++------ 1 file changed, 15 insertions(+), 6 deletions(-) diff --git a/drivers/scsi/megaraid/megaraid_mm.c b/drivers/scsi/megaraid/megaraid_mm.c index abf7b401f5b9..c509440bd161 100644 --- a/drivers/scsi/megaraid/megaraid_mm.c +++ b/drivers/scsi/megaraid/megaraid_mm.c @@ -238,7 +238,7 @@ mraid_mm_get_adapter(mimd_t __user *umimd, int *rval) mimd_t mimd; uint32_t adapno; int iterator; - + bool is_found; if (copy_from_user(&mimd, umimd, sizeof(mimd_t))) { *rval = -EFAULT; @@ -254,12 +254,16 @@ mraid_mm_get_adapter(mimd_t __user *umimd, int *rval) adapter = NULL; iterator = 0; + is_found = false; list_for_each_entry(adapter, &adapters_list_g, list) { - if (iterator++ == adapno) break; + if (iterator++ == adapno) { + is_found = true; + break; + } } - if (!adapter) { + if (!is_found) { *rval = -ENODEV; return NULL; } @@ -725,6 +729,7 @@ ioctl_done(uioc_t *kioc) uint32_t adapno; int iterator; mraid_mmadp_t* adapter; + bool is_found; /* * When the kioc returns from driver, make sure it still doesn't @@ -747,19 +752,23 @@ ioctl_done(uioc_t *kioc) iterator = 0; adapter = NULL; adapno = kioc->adapno; + is_found = false; con_log(CL_ANN, ( KERN_WARNING "megaraid cmm: completed " "ioctl that was timedout before\n")); list_for_each_entry(adapter, &adapters_list_g, list) { - if (iterator++ == adapno) break; + if (iterator++ == adapno) { + is_found = true; + break; + } } kioc->timedout = 0; - if (adapter) { + if (is_found) mraid_mm_dealloc_kioc( adapter, kioc ); - } + } else { wake_up(&wait_q); -- 2.32.0