Received: by 2002:a05:6a10:1d13:0:0:0:0 with SMTP id pp19csp2898642pxb;
        Tue, 24 Aug 2021 10:08:31 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJwQSdAoNhopuO3xdi56XU2DS+jSuqgZw6WWhopvuNysmqCfL3HH5r3k9gVBQSVT1G0VJc1z
X-Received: by 2002:a92:444e:: with SMTP id a14mr20440706ilm.152.1629824911662;
        Tue, 24 Aug 2021 10:08:31 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1629824911; cv=none;
        d=google.com; s=arc-20160816;
        b=mvrhLnVs4EC1qWyGtVocXQ6C4uVBmLQReRLIKJySPZdMJtVdlhlNiom8KAAagWzim6
         Me4dNJW/QXF0BuKMkvKA8E4zuWLcWOfpJX0bRrhqwWtaysfatrM23STvQKFQsm+GCicm
         08PlR3gj0KEWI+tZvzs8GZUncSKt+CGcjmlNu4/n5Dfh7asbZlNfij0/N4+Ugq1WSil1
         Czc+B3FnPTsPozehxgkng/WM/hvdbZo4ijA3HqVIhRur22rOubLI2pa6BDvnwCbGFk9q
         rdvVH1dsyQ+3JqMLSvz1SbxdurdVTexAF9kQZx1VzvkgrWTYV0ND3LT10FQAWy3r66cz
         BIaw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :references:in-reply-to:message-id:date:subject:cc:to:from
         :dkim-signature;
        bh=mm0Ep2WuhkL95YvH6FHFiquEYhg3CkGekRSyRDPtLho=;
        b=G7Bm3V8LVn0XtfKM1xxwbhCC+BJodvDWJClWK0R5DyOIuB/FQ28e4gMMeeyOPCzIbC
         AYWrmQhwKs54PCZLN3XEgKwkqbbtIdlVp3VSgpbdAHmLPstOZRgyl3Fouoc2t4b7cmN5
         nN0UneZJcrQdFelRUpLm4V9wrELo+wdv/GJfEu0JP9JHezwwekjCuW87CH/qySSLKUER
         S2j4KmPxRfrL7D3lonJdrZBvMJyIvprj4NRyXeTVN5viJYlJ+uFk/xUh582kYR6ngz93
         Pr/0aNtxgIUdTBB33uUNu0cLpcEbfL4LtUXWJzj/rsmnghsLvSAdyGNAuTqzuaA2jUuj
         MBrw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=k20201202 header.b=F8UxHEFt;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id o13si17773816jat.13.2021.08.24.10.08.18;
        Tue, 24 Aug 2021 10:08:31 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=k20201202 header.b=F8UxHEFt;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S233991AbhHXRIT (ORCPT <rfc822;liukuiyu0707@gmail.com>
        + 99 others); Tue, 24 Aug 2021 13:08:19 -0400
Received: from mail.kernel.org ([198.145.29.99]:46474 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S239842AbhHXRFB (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 24 Aug 2021 13:05:01 -0400
Received: by mail.kernel.org (Postfix) with ESMTPSA id C2135619E8;
        Tue, 24 Aug 2021 16:59:32 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=k20201202; t=1629824373;
        bh=6RZGfi794T9ER7KTdkqdC0/wML4S9fRFPSgEGGduJzA=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=F8UxHEFtUBH46J1GJyOz0S/4kjVVCrLI+6iTEq0wrNgL7ub/zRNLm2ESPbMl/2mJv
         DFF+XdVt3+S0u/hOJPe6/PYKfJMfSHZAxt6b4mWwxl8h3DeQdbnUCY6qzCAurUe7pl
         w7+iEXHQnElPBCFyTIa4f62nAXHEfqd/WrrvDJabn+uCBr9idxTjU1/MjFYupkCI5M
         3QtD3YsbcaIdghJPcDPcI8sJqMOl7q5qVRJjVxtwDnBi0hBBqhxJcaZjvoGFpOFolw
         HTzq/p7cfNnfgFTz9/spa66QHX05Df0R6BguyeNDp4cqjLAsA2lxssWXp3vILECpEV
         pNkU8u5V2ebNQ==
From:   Sasha Levin <sashal@kernel.org>
To:     linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc:     Harshvardhan Jha <harshvardhan.jha@oracle.com>,
        Sumit Saxena <sumit.saxena@broadcom.com>,
        "Martin K . Petersen" <martin.petersen@oracle.com>,
        Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.10 23/98] scsi: megaraid_mm: Fix end of loop tests for list_for_each_entry()
Date:   Tue, 24 Aug 2021 12:57:53 -0400
Message-Id: <20210824165908.709932-24-sashal@kernel.org>
X-Mailer: git-send-email 2.30.2
In-Reply-To: <20210824165908.709932-1-sashal@kernel.org>
References: <20210824165908.709932-1-sashal@kernel.org>
MIME-Version: 1.0
X-KernelTest-Patch: http://kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.10.61-rc1.gz
X-KernelTest-Tree: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git
X-KernelTest-Branch: linux-5.10.y
X-KernelTest-Patches: git://git.kernel.org/pub/scm/linux/kernel/git/stable/stable-queue.git
X-KernelTest-Version: 5.10.61-rc1
X-KernelTest-Deadline: 2021-08-26T16:58+00:00
X-stable: review
X-Patchwork-Hint: Ignore
Content-Transfer-Encoding: 8bit
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Harshvardhan Jha <harshvardhan.jha@oracle.com>

[ Upstream commit 77541f78eadfe9fdb018a7b8b69f0f2af2cf4b82 ]

The list_for_each_entry() iterator, "adapter" in this code, can never be
NULL.  If we exit the loop without finding the correct adapter then
"adapter" points invalid memory that is an offset from the list head.  This
will eventually lead to memory corruption and presumably a kernel crash.

Link: https://lore.kernel.org/r/20210708074642.23599-1-harshvardhan.jha@oracle.com
Acked-by: Sumit Saxena <sumit.saxena@broadcom.com>
Signed-off-by: Harshvardhan Jha <harshvardhan.jha@oracle.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/scsi/megaraid/megaraid_mm.c | 21 +++++++++++++++------
 1 file changed, 15 insertions(+), 6 deletions(-)

diff --git a/drivers/scsi/megaraid/megaraid_mm.c b/drivers/scsi/megaraid/megaraid_mm.c
index 8df53446641a..422b726e2ac1 100644
--- a/drivers/scsi/megaraid/megaraid_mm.c
+++ b/drivers/scsi/megaraid/megaraid_mm.c
@@ -238,7 +238,7 @@ mraid_mm_get_adapter(mimd_t __user *umimd, int *rval)
 	mimd_t		mimd;
 	uint32_t	adapno;
 	int		iterator;
-
+	bool		is_found;
 
 	if (copy_from_user(&mimd, umimd, sizeof(mimd_t))) {
 		*rval = -EFAULT;
@@ -254,12 +254,16 @@ mraid_mm_get_adapter(mimd_t __user *umimd, int *rval)
 
 	adapter = NULL;
 	iterator = 0;
+	is_found = false;
 
 	list_for_each_entry(adapter, &adapters_list_g, list) {
-		if (iterator++ == adapno) break;
+		if (iterator++ == adapno) {
+			is_found = true;
+			break;
+		}
 	}
 
-	if (!adapter) {
+	if (!is_found) {
 		*rval = -ENODEV;
 		return NULL;
 	}
@@ -725,6 +729,7 @@ ioctl_done(uioc_t *kioc)
 	uint32_t	adapno;
 	int		iterator;
 	mraid_mmadp_t*	adapter;
+	bool		is_found;
 
 	/*
 	 * When the kioc returns from driver, make sure it still doesn't
@@ -747,19 +752,23 @@ ioctl_done(uioc_t *kioc)
 		iterator	= 0;
 		adapter		= NULL;
 		adapno		= kioc->adapno;
+		is_found	= false;
 
 		con_log(CL_ANN, ( KERN_WARNING "megaraid cmm: completed "
 					"ioctl that was timedout before\n"));
 
 		list_for_each_entry(adapter, &adapters_list_g, list) {
-			if (iterator++ == adapno) break;
+			if (iterator++ == adapno) {
+				is_found = true;
+				break;
+			}
 		}
 
 		kioc->timedout = 0;
 
-		if (adapter) {
+		if (is_found)
 			mraid_mm_dealloc_kioc( adapter, kioc );
-		}
+
 	}
 	else {
 		wake_up(&wait_q);
-- 
2.30.2