Received: by 2002:a5d:9c59:0:0:0:0:0 with SMTP id 25csp2179075iof;
        Tue, 7 Jun 2022 22:20:28 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJxpdLLmrm8GjMpAvzfgRm1/HolAWWui3XHdVtykekANHyTjUngRENDMjxWCeDdPi9BzPkej
X-Received: by 2002:a17:902:e791:b0:166:3985:2f78 with SMTP id cp17-20020a170902e79100b0016639852f78mr31811114plb.158.1654665627795;
        Tue, 07 Jun 2022 22:20:27 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1654665627; cv=none;
        d=google.com; s=arc-20160816;
        b=DLeZwkqv5H1mL909yAhDi7MeV6xfgiwZvf8bwgowDq/DhmD8jlx6rdLwgxpWg2aOQJ
         Ip+gID28mcaO+qzrCDld6yJeHD8ezGhxAIbmoMFqeQXOPkYVHh9MYVrFlBlXqwv89wm7
         YkFHQpA245QBkGDTNHvpyohTfGaV6lktFDuYkEj05fm7eDRYOVXgDQJFVTVV2ShpAoim
         meb+1gUA8eadz3tCEKJixyCG27Y7zTyaishGDGrF11c49+UCArfFhI3a+CxjJDD3eGkU
         TZrpaIZZ4iRu/erQKeuVDrzfWwa1fo7WvXRCFX/FQFA8NftI2KIereVaNcOkwCo18h8n
         /i/A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=JeXuPwlyPEzpBEmWH/iebxnEWNsk6g75MO4O/M8VOp0=;
        b=wWkIW2V8NBTuo5SFVy5phWn80z6oq5AACJdOqdAaU0BGqDhoKU+N1dP1MKrklDdtwa
         gOnbTAJ9Tm6AkP05yLnxFr2M8m2cc82Lqm4MGh/9JNF385vur43pftAxmTFiHrrSRFW9
         Gwl9qO437Adpv9nJlUo0dAE8oXwNZIBRg5lFjERj3cmPA3LXOL7UZMv7Wpe7vwovhzf1
         NI7ynDUpyYxYg1rNU2OJD9JSGciqp8u7ZX+zv+P+QtIMEZMH298e5daA58Uj/9DEdFPD
         75vklt5IrkHEJIzSJbiKG9ukTckUzVVm/63iAQtn446YTvID15Gc9lDrLhdC4ixPJGal
         U8TQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=YfgbaPSV;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18])
        by mx.google.com with ESMTPS id f127-20020a636a85000000b003fdb97e3c15si9672427pgc.394.2022.06.07.22.20.27
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 07 Jun 2022 22:20:27 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=YfgbaPSV;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by lindbergh.monkeyblade.net (Postfix) with ESMTP id 53D304626D1;
	Tue,  7 Jun 2022 21:56:47 -0700 (PDT)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1350525AbiFGSGM (ORCPT <rfc822;acleo0523@gmail.com> + 99 others);
        Tue, 7 Jun 2022 14:06:12 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40804 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1349036AbiFGRqn (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 7 Jun 2022 13:46:43 -0400
Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D63A8B15;
        Tue,  7 Jun 2022 10:36:13 -0700 (PDT)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by ams.source.kernel.org (Postfix) with ESMTPS id 4A3ACB80B66;
        Tue,  7 Jun 2022 17:36:12 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id A5284C385A5;
        Tue,  7 Jun 2022 17:36:10 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1654623371;
        bh=L59ERGkVV3otL3Zd9lxPpMgrfZgZBjCdZUYF+dVsG0Q=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=YfgbaPSVig9J5z8i7BxhAiSxIyQfavnfpj013lCsBCTNR/VLMKeLTaLv++zjAw0CZ
         vWiWWc9SIPMwjpVZr2Qq7s4So9EGqvEQX+VtommTkSRPWPixLn1eXLaF7eWhbj8LIn
         VlgaNoQVGbDt6F/0uvgq04kTOjlwHU8AKFCgeQgw=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Xiaomeng Tong <xiam0nd.tong@gmail.com>,
        "Martin K. Petersen" <martin.petersen@oracle.com>
Subject: [PATCH 5.10 376/452] scsi: dc395x: Fix a missing check on list iterator
Date:   Tue,  7 Jun 2022 19:03:53 +0200
Message-Id: <20220607164919.769628826@linuxfoundation.org>
X-Mailer: git-send-email 2.36.1
In-Reply-To: <20220607164908.521895282@linuxfoundation.org>
References: <20220607164908.521895282@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-3.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
	DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,
	MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE
	autolearn=unavailable autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
	lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Xiaomeng Tong <xiam0nd.tong@gmail.com>

commit 036a45aa587a10fa2abbd50fbd0f6c4cfc44f69f upstream.

The bug is here:

	p->target_id, p->target_lun);

The list iterator 'p' will point to a bogus position containing HEAD if the
list is empty or no element is found. This case must be checked before any
use of the iterator, otherwise it will lead to an invalid memory access.

To fix this bug, add a check. Use a new variable 'iter' as the list
iterator, and use the original variable 'p' as a dedicated pointer to point
to the found element.

Link: https://lore.kernel.org/r/20220414040231.2662-1-xiam0nd.tong@gmail.com
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Signed-off-by: Xiaomeng Tong <xiam0nd.tong@gmail.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/scsi/dc395x.c |   15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

--- a/drivers/scsi/dc395x.c
+++ b/drivers/scsi/dc395x.c
@@ -3631,10 +3631,19 @@ static struct DeviceCtlBlk *device_alloc
 #endif
 	if (dcb->target_lun != 0) {
 		/* Copy settings */
-		struct DeviceCtlBlk *p;
-		list_for_each_entry(p, &acb->dcb_list, list)
-			if (p->target_id == dcb->target_id)
+		struct DeviceCtlBlk *p = NULL, *iter;
+
+		list_for_each_entry(iter, &acb->dcb_list, list)
+			if (iter->target_id == dcb->target_id) {
+				p = iter;
 				break;
+			}
+
+		if (!p) {
+			kfree(dcb);
+			return NULL;
+		}
+
 		dprintkdbg(DBG_1, 
 		       "device_alloc: <%02i-%i> copy from <%02i-%i>\n",
 		       dcb->target_id, dcb->target_lun,