Received: by 2002:a5d:9c59:0:0:0:0:0 with SMTP id 25csp2206216iof; Tue, 7 Jun 2022 23:11:16 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwN1mSPOdCuCMNGak50+Eb4PHWS3lR9mUjRBwZqSEnMGO1hxEE5tKRIiBrCdEAFgG6w5Lab X-Received: by 2002:aa7:8d47:0:b0:4f6:a7f9:1ead with SMTP id s7-20020aa78d47000000b004f6a7f91eadmr32855134pfe.42.1654668675945; Tue, 07 Jun 2022 23:11:15 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1654668675; cv=none; d=google.com; s=arc-20160816; b=Wcks/aUA8fM65+sW6EFA7RzmoYFg6oQ4rKY9IbhgSXtGdv8YafcWONxjL228JoLxXB pESQapWnanthDOyZuwbrPMZMzBFtXhaFuiu4PnCJRmG8f8kD2gKd/x7/rK1frk+PA8JC 5RkV/vNEtWh+1MogeFgvNb7XshrItp/3St2W1rFITSk0LVrzRonwslmAK4PEDRao14Mf 5EyEA1hisYGMmWLnU5h7NL83T88zSuQxGyfqHDddiJF/Gwd78HDqw1LineShWJOVXneA icktpcDBRCgx+QYmTM/I1pySlQ2Ng6ga7pSdl14tM3eUOt7ue7EIjnSbnD31RwoI6EfN RAOA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=RN7ChBCnnPP+Xl8j6cD+6+aN7mvnvoej7M7LwmIopZI=; b=0l0fZtzP7GWgjlcWtNKGU6eK49NT6Y56Gaq9gSQt/gaaCEmgZAqvVitiQPR5NQdA0O /Qlss+RC8bZduTyQD58R1n79B/W3KxFW28oR5FE9prBfrbTCiXB+Qu1PPIwKv/6vIZ/J eJIDNN4lhpeRTSBOa+cEsli4rxcHjaPfTPCY4sS4PFDUiRPtVmPDgLhrWLk2c/DAj684 B0IadEZOnvTH12eP9KKQGDZEtqNLuelcfUOpPw5dcBfqe6ibH9ke6BDjIkyFJNDr+8Fa /o36S+8oxTyYsaXu3Waa997i0ogvVrL4sOCA0UUyAcE1HNmAhFapuO+K2IeBUHj3skdm 6eTA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=vJCXFyXS; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18]) by mx.google.com with ESMTPS id f23-20020a170902ab9700b00153b2d165f6si24955636plr.510.2022.06.07.23.11.15 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 07 Jun 2022 23:11:15 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=vJCXFyXS; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 853A12BA94A; Tue, 7 Jun 2022 22:33:23 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1383681AbiFHBo4 (ORCPT + 99 others); Tue, 7 Jun 2022 21:44:56 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49780 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1383192AbiFGWZC (ORCPT ); Tue, 7 Jun 2022 18:25:02 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3CDFF26EEB6; Tue, 7 Jun 2022 12:22:53 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 337FDB823D6; Tue, 7 Jun 2022 19:22:45 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 883B5C385A2; Tue, 7 Jun 2022 19:22:43 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1654629763; bh=b4XcJOUUruZ4QMXHty+HkTdu2vurMQ51l8/uCb2gwtA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=vJCXFyXSThyhkAfIONI5waJtg+QARfAd9NcpU9oesMGDIXaj4vZaLNz23rYGigZ6V TI+oDmt2HVGhG3P7j9kWOaws7LhllNp/PEH7068yXPszzWS6XEPubk/8KKyXL+WPlO y763xCWexzoe2NmMr+u0fbGuOjcW7swtGKVYNDM0= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Xiaomeng Tong , "Martin K. Petersen" Subject: [PATCH 5.18 768/879] scsi: dc395x: Fix a missing check on list iterator Date: Tue, 7 Jun 2022 19:04:46 +0200 Message-Id: <20220607165025.155491835@linuxfoundation.org> X-Mailer: git-send-email 2.36.1 In-Reply-To: <20220607165002.659942637@linuxfoundation.org> References: <20220607165002.659942637@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-3.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Xiaomeng Tong commit 036a45aa587a10fa2abbd50fbd0f6c4cfc44f69f upstream. The bug is here: p->target_id, p->target_lun); The list iterator 'p' will point to a bogus position containing HEAD if the list is empty or no element is found. This case must be checked before any use of the iterator, otherwise it will lead to an invalid memory access. To fix this bug, add a check. Use a new variable 'iter' as the list iterator, and use the original variable 'p' as a dedicated pointer to point to the found element. Link: https://lore.kernel.org/r/20220414040231.2662-1-xiam0nd.tong@gmail.com Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable@vger.kernel.org Signed-off-by: Xiaomeng Tong Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman --- drivers/scsi/dc395x.c | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) --- a/drivers/scsi/dc395x.c +++ b/drivers/scsi/dc395x.c @@ -3585,10 +3585,19 @@ static struct DeviceCtlBlk *device_alloc #endif if (dcb->target_lun != 0) { /* Copy settings */ - struct DeviceCtlBlk *p; - list_for_each_entry(p, &acb->dcb_list, list) - if (p->target_id == dcb->target_id) + struct DeviceCtlBlk *p = NULL, *iter; + + list_for_each_entry(iter, &acb->dcb_list, list) + if (iter->target_id == dcb->target_id) { + p = iter; break; + } + + if (!p) { + kfree(dcb); + return NULL; + } + dprintkdbg(DBG_1, "device_alloc: <%02i-%i> copy from <%02i-%i>\n", dcb->target_id, dcb->target_lun,