Received: by 2002:a5d:9c59:0:0:0:0:0 with SMTP id 25csp2206216iof;
        Tue, 7 Jun 2022 23:11:16 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJwN1mSPOdCuCMNGak50+Eb4PHWS3lR9mUjRBwZqSEnMGO1hxEE5tKRIiBrCdEAFgG6w5Lab
X-Received: by 2002:aa7:8d47:0:b0:4f6:a7f9:1ead with SMTP id s7-20020aa78d47000000b004f6a7f91eadmr32855134pfe.42.1654668675945;
        Tue, 07 Jun 2022 23:11:15 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1654668675; cv=none;
        d=google.com; s=arc-20160816;
        b=Wcks/aUA8fM65+sW6EFA7RzmoYFg6oQ4rKY9IbhgSXtGdv8YafcWONxjL228JoLxXB
         pESQapWnanthDOyZuwbrPMZMzBFtXhaFuiu4PnCJRmG8f8kD2gKd/x7/rK1frk+PA8JC
         5RkV/vNEtWh+1MogeFgvNb7XshrItp/3St2W1rFITSk0LVrzRonwslmAK4PEDRao14Mf
         5EyEA1hisYGMmWLnU5h7NL83T88zSuQxGyfqHDddiJF/Gwd78HDqw1LineShWJOVXneA
         icktpcDBRCgx+QYmTM/I1pySlQ2Ng6ga7pSdl14tM3eUOt7ue7EIjnSbnD31RwoI6EfN
         RAOA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=RN7ChBCnnPP+Xl8j6cD+6+aN7mvnvoej7M7LwmIopZI=;
        b=0l0fZtzP7GWgjlcWtNKGU6eK49NT6Y56Gaq9gSQt/gaaCEmgZAqvVitiQPR5NQdA0O
         /Qlss+RC8bZduTyQD58R1n79B/W3KxFW28oR5FE9prBfrbTCiXB+Qu1PPIwKv/6vIZ/J
         eJIDNN4lhpeRTSBOa+cEsli4rxcHjaPfTPCY4sS4PFDUiRPtVmPDgLhrWLk2c/DAj684
         B0IadEZOnvTH12eP9KKQGDZEtqNLuelcfUOpPw5dcBfqe6ibH9ke6BDjIkyFJNDr+8Fa
         /o36S+8oxTyYsaXu3Waa997i0ogvVrL4sOCA0UUyAcE1HNmAhFapuO+K2IeBUHj3skdm
         6eTA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=vJCXFyXS;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18])
        by mx.google.com with ESMTPS id f23-20020a170902ab9700b00153b2d165f6si24955636plr.510.2022.06.07.23.11.15
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 07 Jun 2022 23:11:15 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=vJCXFyXS;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by lindbergh.monkeyblade.net (Postfix) with ESMTP id 853A12BA94A;
	Tue,  7 Jun 2022 22:33:23 -0700 (PDT)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1383681AbiFHBo4 (ORCPT <rfc822;abrown110010@gmail.com>
        + 99 others); Tue, 7 Jun 2022 21:44:56 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49780 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1383192AbiFGWZC (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 7 Jun 2022 18:25:02 -0400
Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3CDFF26EEB6;
        Tue,  7 Jun 2022 12:22:53 -0700 (PDT)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by ams.source.kernel.org (Postfix) with ESMTPS id 337FDB823D6;
        Tue,  7 Jun 2022 19:22:45 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 883B5C385A2;
        Tue,  7 Jun 2022 19:22:43 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1654629763;
        bh=b4XcJOUUruZ4QMXHty+HkTdu2vurMQ51l8/uCb2gwtA=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=vJCXFyXSThyhkAfIONI5waJtg+QARfAd9NcpU9oesMGDIXaj4vZaLNz23rYGigZ6V
         TI+oDmt2HVGhG3P7j9kWOaws7LhllNp/PEH7068yXPszzWS6XEPubk/8KKyXL+WPlO
         y763xCWexzoe2NmMr+u0fbGuOjcW7swtGKVYNDM0=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Xiaomeng Tong <xiam0nd.tong@gmail.com>,
        "Martin K. Petersen" <martin.petersen@oracle.com>
Subject: [PATCH 5.18 768/879] scsi: dc395x: Fix a missing check on list iterator
Date:   Tue,  7 Jun 2022 19:04:46 +0200
Message-Id: <20220607165025.155491835@linuxfoundation.org>
X-Mailer: git-send-email 2.36.1
In-Reply-To: <20220607165002.659942637@linuxfoundation.org>
References: <20220607165002.659942637@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-3.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
	DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,
	MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE
	autolearn=unavailable autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
	lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Xiaomeng Tong <xiam0nd.tong@gmail.com>

commit 036a45aa587a10fa2abbd50fbd0f6c4cfc44f69f upstream.

The bug is here:

	p->target_id, p->target_lun);

The list iterator 'p' will point to a bogus position containing HEAD if the
list is empty or no element is found. This case must be checked before any
use of the iterator, otherwise it will lead to an invalid memory access.

To fix this bug, add a check. Use a new variable 'iter' as the list
iterator, and use the original variable 'p' as a dedicated pointer to point
to the found element.

Link: https://lore.kernel.org/r/20220414040231.2662-1-xiam0nd.tong@gmail.com
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Signed-off-by: Xiaomeng Tong <xiam0nd.tong@gmail.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/scsi/dc395x.c |   15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

--- a/drivers/scsi/dc395x.c
+++ b/drivers/scsi/dc395x.c
@@ -3585,10 +3585,19 @@ static struct DeviceCtlBlk *device_alloc
 #endif
 	if (dcb->target_lun != 0) {
 		/* Copy settings */
-		struct DeviceCtlBlk *p;
-		list_for_each_entry(p, &acb->dcb_list, list)
-			if (p->target_id == dcb->target_id)
+		struct DeviceCtlBlk *p = NULL, *iter;
+
+		list_for_each_entry(iter, &acb->dcb_list, list)
+			if (iter->target_id == dcb->target_id) {
+				p = iter;
 				break;
+			}
+
+		if (!p) {
+			kfree(dcb);
+			return NULL;
+		}
+
 		dprintkdbg(DBG_1, 
 		       "device_alloc: <%02i-%i> copy from <%02i-%i>\n",
 		       dcb->target_id, dcb->target_lun,