Received: by 2002:a05:6a10:1d13:0:0:0:0 with SMTP id pp19csp2898642pxb; Tue, 24 Aug 2021 10:08:31 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwQSdAoNhopuO3xdi56XU2DS+jSuqgZw6WWhopvuNysmqCfL3HH5r3k9gVBQSVT1G0VJc1z X-Received: by 2002:a92:444e:: with SMTP id a14mr20440706ilm.152.1629824911662; Tue, 24 Aug 2021 10:08:31 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1629824911; cv=none; d=google.com; s=arc-20160816; b=mvrhLnVs4EC1qWyGtVocXQ6C4uVBmLQReRLIKJySPZdMJtVdlhlNiom8KAAagWzim6 Me4dNJW/QXF0BuKMkvKA8E4zuWLcWOfpJX0bRrhqwWtaysfatrM23STvQKFQsm+GCicm 08PlR3gj0KEWI+tZvzs8GZUncSKt+CGcjmlNu4/n5Dfh7asbZlNfij0/N4+Ugq1WSil1 Czc+B3FnPTsPozehxgkng/WM/hvdbZo4ijA3HqVIhRur22rOubLI2pa6BDvnwCbGFk9q rdvVH1dsyQ+3JqMLSvz1SbxdurdVTexAF9kQZx1VzvkgrWTYV0ND3LT10FQAWy3r66cz BIaw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=mm0Ep2WuhkL95YvH6FHFiquEYhg3CkGekRSyRDPtLho=; b=G7Bm3V8LVn0XtfKM1xxwbhCC+BJodvDWJClWK0R5DyOIuB/FQ28e4gMMeeyOPCzIbC AYWrmQhwKs54PCZLN3XEgKwkqbbtIdlVp3VSgpbdAHmLPstOZRgyl3Fouoc2t4b7cmN5 nN0UneZJcrQdFelRUpLm4V9wrELo+wdv/GJfEu0JP9JHezwwekjCuW87CH/qySSLKUER S2j4KmPxRfrL7D3lonJdrZBvMJyIvprj4NRyXeTVN5viJYlJ+uFk/xUh582kYR6ngz93 Pr/0aNtxgIUdTBB33uUNu0cLpcEbfL4LtUXWJzj/rsmnghsLvSAdyGNAuTqzuaA2jUuj MBrw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=F8UxHEFt; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id o13si17773816jat.13.2021.08.24.10.08.18; Tue, 24 Aug 2021 10:08:31 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=F8UxHEFt; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233991AbhHXRIT (ORCPT + 99 others); Tue, 24 Aug 2021 13:08:19 -0400 Received: from mail.kernel.org ([198.145.29.99]:46474 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239842AbhHXRFB (ORCPT ); Tue, 24 Aug 2021 13:05:01 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id C2135619E8; Tue, 24 Aug 2021 16:59:32 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1629824373; bh=6RZGfi794T9ER7KTdkqdC0/wML4S9fRFPSgEGGduJzA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=F8UxHEFtUBH46J1GJyOz0S/4kjVVCrLI+6iTEq0wrNgL7ub/zRNLm2ESPbMl/2mJv DFF+XdVt3+S0u/hOJPe6/PYKfJMfSHZAxt6b4mWwxl8h3DeQdbnUCY6qzCAurUe7pl w7+iEXHQnElPBCFyTIa4f62nAXHEfqd/WrrvDJabn+uCBr9idxTjU1/MjFYupkCI5M 3QtD3YsbcaIdghJPcDPcI8sJqMOl7q5qVRJjVxtwDnBi0hBBqhxJcaZjvoGFpOFolw HTzq/p7cfNnfgFTz9/spa66QHX05Df0R6BguyeNDp4cqjLAsA2lxssWXp3vILECpEV pNkU8u5V2ebNQ== From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Harshvardhan Jha , Sumit Saxena , "Martin K . Petersen" , Sasha Levin Subject: [PATCH 5.10 23/98] scsi: megaraid_mm: Fix end of loop tests for list_for_each_entry() Date: Tue, 24 Aug 2021 12:57:53 -0400 Message-Id: <20210824165908.709932-24-sashal@kernel.org> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210824165908.709932-1-sashal@kernel.org> References: <20210824165908.709932-1-sashal@kernel.org> MIME-Version: 1.0 X-KernelTest-Patch: http://kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.10.61-rc1.gz X-KernelTest-Tree: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git X-KernelTest-Branch: linux-5.10.y X-KernelTest-Patches: git://git.kernel.org/pub/scm/linux/kernel/git/stable/stable-queue.git X-KernelTest-Version: 5.10.61-rc1 X-KernelTest-Deadline: 2021-08-26T16:58+00:00 X-stable: review X-Patchwork-Hint: Ignore Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Harshvardhan Jha [ Upstream commit 77541f78eadfe9fdb018a7b8b69f0f2af2cf4b82 ] The list_for_each_entry() iterator, "adapter" in this code, can never be NULL. If we exit the loop without finding the correct adapter then "adapter" points invalid memory that is an offset from the list head. This will eventually lead to memory corruption and presumably a kernel crash. Link: https://lore.kernel.org/r/20210708074642.23599-1-harshvardhan.jha@oracle.com Acked-by: Sumit Saxena Signed-off-by: Harshvardhan Jha Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin --- drivers/scsi/megaraid/megaraid_mm.c | 21 +++++++++++++++------ 1 file changed, 15 insertions(+), 6 deletions(-) diff --git a/drivers/scsi/megaraid/megaraid_mm.c b/drivers/scsi/megaraid/megaraid_mm.c index 8df53446641a..422b726e2ac1 100644 --- a/drivers/scsi/megaraid/megaraid_mm.c +++ b/drivers/scsi/megaraid/megaraid_mm.c @@ -238,7 +238,7 @@ mraid_mm_get_adapter(mimd_t __user *umimd, int *rval) mimd_t mimd; uint32_t adapno; int iterator; - + bool is_found; if (copy_from_user(&mimd, umimd, sizeof(mimd_t))) { *rval = -EFAULT; @@ -254,12 +254,16 @@ mraid_mm_get_adapter(mimd_t __user *umimd, int *rval) adapter = NULL; iterator = 0; + is_found = false; list_for_each_entry(adapter, &adapters_list_g, list) { - if (iterator++ == adapno) break; + if (iterator++ == adapno) { + is_found = true; + break; + } } - if (!adapter) { + if (!is_found) { *rval = -ENODEV; return NULL; } @@ -725,6 +729,7 @@ ioctl_done(uioc_t *kioc) uint32_t adapno; int iterator; mraid_mmadp_t* adapter; + bool is_found; /* * When the kioc returns from driver, make sure it still doesn't @@ -747,19 +752,23 @@ ioctl_done(uioc_t *kioc) iterator = 0; adapter = NULL; adapno = kioc->adapno; + is_found = false; con_log(CL_ANN, ( KERN_WARNING "megaraid cmm: completed " "ioctl that was timedout before\n")); list_for_each_entry(adapter, &adapters_list_g, list) { - if (iterator++ == adapno) break; + if (iterator++ == adapno) { + is_found = true; + break; + } } kioc->timedout = 0; - if (adapter) { + if (is_found) mraid_mm_dealloc_kioc( adapter, kioc ); - } + } else { wake_up(&wait_q); -- 2.30.2