Received: by 2002:a5d:9c59:0:0:0:0:0 with SMTP id 25csp2142361iof;
        Tue, 7 Jun 2022 21:09:52 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJyeBlI2fam0ZjpfjMR+46hDn4NasSCx5fGsdJph7f/1+xwgcTPZ1XeUo4P9743wYlPoSdbB
X-Received: by 2002:a17:90b:1e47:b0:1e6:7d04:2f4 with SMTP id pi7-20020a17090b1e4700b001e67d0402f4mr35016148pjb.93.1654661392462;
        Tue, 07 Jun 2022 21:09:52 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1654661392; cv=none;
        d=google.com; s=arc-20160816;
        b=jBrPpiZkxSdMXj0VUpe3tMOSvANRDEUPD4wQr70MWMM0MSLkkT9rjuWZPmRaS6/k36
         NyR/IoG6lPAPyK8R5lghHLqhsESAJRgdwrzY8s2kuAV3KJ/2AvMR6VTbyCxA33wCXSxt
         /+RbPwj1r3J3brVPkWMDBAPhpnDU0mJ6hROaW98iHMZkWIZdwmjjfe7a9EfOPBLkCtI5
         QsFTqSZSvZtHTU/J8x4gxdfP1tY9OGR0o/OW648eOSvz/2RXd0LE6BkgfT8J6aCkrJYu
         J1TZy2Teaxi8Y2QeDoVflp0Dk09S3zUIp6SVd5260Eo4NB9EKstcPH9LoCLuhIuRs/Cy
         MOQg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=Wdsrq2G56In7eJO+0dQ53C65yF1bG145PTnTYB70v2o=;
        b=enktkzxYM4mYtJCjahE+wsKPczZD9bnL8/r+UJv+6T+MyxUZrf6Zru3vmmBbwoPB7+
         NjC5D7OoZ7P6gG1BUS3eG/UG1NGEzASuncJIWVLRxW30sL0hsxCeLHJIZgzuQnHr9fbn
         9dLlT8Bjpxmt+rDAr1bkAakDfWgjThNDZ2wYc/8d+0bSzu91ix6XX5pcla1CcWU9SOaf
         E1N6OkGnL9GQOeDvQE6f7yjzVgOFvJfyTyyOiPtH4E2LJXnBmmcNS5nb+m20ghbd4CPd
         +MG6B3HmuNynH9jG74XyDnme4Rq9Fdd7tDJxTgZnoPJZSH3bFeY9vQK8V1baPOMShCOj
         Dp1Q==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=GNMy14nm;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18])
        by mx.google.com with ESMTPS id x18-20020a170902821200b001641a5d5794si24504165pln.243.2022.06.07.21.09.52
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 07 Jun 2022 21:09:52 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=GNMy14nm;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by lindbergh.monkeyblade.net (Postfix) with ESMTP id 439931F185E;
	Tue,  7 Jun 2022 20:41:26 -0700 (PDT)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1381364AbiFGVkj (ORCPT <rfc822;abrown110010@gmail.com>
        + 99 others); Tue, 7 Jun 2022 17:40:39 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51876 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1377764AbiFGUu4 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 7 Jun 2022 16:50:56 -0400
Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A572A1FC8DC;
        Tue,  7 Jun 2022 11:40:36 -0700 (PDT)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by dfw.source.kernel.org (Postfix) with ESMTPS id 2DC8060B3D;
        Tue,  7 Jun 2022 18:40:35 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 3D72BC385A5;
        Tue,  7 Jun 2022 18:40:34 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1654627234;
        bh=2WAbyoW4m/eJ6y/kM/aiUzPDM+za6FHT5ZnRdYK0iaM=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=GNMy14nmnm5KNly1EVhoKe5KNmZlsYMvsPhRlzw0SBJlh0nTUe13ckONE6jgnOlZQ
         u9DFeYgfnFTCtjpysqRqT73nqwIluBJB0eX8g8cd5P7rw9yQ/hsfYGL3Ozz796hZIV
         xgDR8dMo2WE8aSrt9eVd2pHplO47W4cDFlgXvXHg=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Xiaomeng Tong <xiam0nd.tong@gmail.com>,
        "Martin K. Petersen" <martin.petersen@oracle.com>
Subject: [PATCH 5.17 666/772] scsi: dc395x: Fix a missing check on list iterator
Date:   Tue,  7 Jun 2022 19:04:18 +0200
Message-Id: <20220607165008.685440359@linuxfoundation.org>
X-Mailer: git-send-email 2.36.1
In-Reply-To: <20220607164948.980838585@linuxfoundation.org>
References: <20220607164948.980838585@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-3.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
	DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,
	MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE
	autolearn=unavailable autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
	lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Xiaomeng Tong <xiam0nd.tong@gmail.com>

commit 036a45aa587a10fa2abbd50fbd0f6c4cfc44f69f upstream.

The bug is here:

	p->target_id, p->target_lun);

The list iterator 'p' will point to a bogus position containing HEAD if the
list is empty or no element is found. This case must be checked before any
use of the iterator, otherwise it will lead to an invalid memory access.

To fix this bug, add a check. Use a new variable 'iter' as the list
iterator, and use the original variable 'p' as a dedicated pointer to point
to the found element.

Link: https://lore.kernel.org/r/20220414040231.2662-1-xiam0nd.tong@gmail.com
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Signed-off-by: Xiaomeng Tong <xiam0nd.tong@gmail.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/scsi/dc395x.c |   15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

--- a/drivers/scsi/dc395x.c
+++ b/drivers/scsi/dc395x.c
@@ -3588,10 +3588,19 @@ static struct DeviceCtlBlk *device_alloc
 #endif
 	if (dcb->target_lun != 0) {
 		/* Copy settings */
-		struct DeviceCtlBlk *p;
-		list_for_each_entry(p, &acb->dcb_list, list)
-			if (p->target_id == dcb->target_id)
+		struct DeviceCtlBlk *p = NULL, *iter;
+
+		list_for_each_entry(iter, &acb->dcb_list, list)
+			if (iter->target_id == dcb->target_id) {
+				p = iter;
 				break;
+			}
+
+		if (!p) {
+			kfree(dcb);
+			return NULL;
+		}
+
 		dprintkdbg(DBG_1, 
 		       "device_alloc: <%02i-%i> copy from <%02i-%i>\n",
 		       dcb->target_id, dcb->target_lun,