Received: by 2002:a5d:9c59:0:0:0:0:0 with SMTP id 25csp2286265iof; Wed, 8 Jun 2022 01:27:34 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwWaug+nAsbW0omZscDWEh5SOw2wpywGOPCn3Ov+g6pKlNqvx7pPpyMTNoxg3XaNqP85GTN X-Received: by 2002:a17:90b:17c7:b0:1e8:5136:c32a with SMTP id me7-20020a17090b17c700b001e85136c32amr24604558pjb.43.1654676854303; Wed, 08 Jun 2022 01:27:34 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1654676854; cv=none; d=google.com; s=arc-20160816; b=Ittp3XSVAUonGko7EDg55ABznUEyU5j4O4+QL3iXslkt5JF6Nnk310IZ5JwuYpyyKc TkTDxfgzROYJQxFTe1TSlWv1ougGm5R3zpzEJSfM1leBCRp6lGmmg7epOvpztmgheD7F BvNqQtySnsDZzjc4gWiKJfkpQi/hIsQ0VVo4HoZZkPXpFU6uZudsAdFyJAE2r6E0qlKC OYvkc/K1W/3iMurm2R4qK4uKxxOLBuP6h+jEQHFT6YA+FY9AqblQhWBnOjvJKbjfhfzS OVHJTttGBrCeVlGSVx4fviiC+GrKTEqZ201jryLoNFpRx2KPoGxZnI4icVoMb6m0zxzi JtBw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=L4abYRSo5gpP925r9ty7lzoc9xFKUlKDHk83KQ8rZfQ=; b=ePtoBHXTEEXGI5IQRqJUKPhKCtYDw9tK8v6EF+8pizNhtsok5Y2LBFiGD7ZJ6fBIsP MXv9VHsulh+K7TnbYwy8VKYbPkT6/xAiZhhNFavFritlpH0EcGqKGqUnencclUZ8xKZq ULGssw31mK5Bb6c3OXsuMJ7sP6cfEMgSgeckz9ZMgRA/O20a8FGVdu5zqtP07+N9bu/i kMkIO4KsNs7elMu2sugrCrh1G9ZFTDU28KjBUeeZZB10brSTQVAT8Uf9qvHjQpifVKUG PTp76KvaOKBJHD+K7/2iKOH3B1HY2NGTz9UFCnf+aag7XYXvWTqm2sVEaYEiXyMISpl6 y0UQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=Du9208aL; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18]) by mx.google.com with ESMTPS id s64-20020a17090a2f4600b001e2d6f186fasi34413649pjd.183.2022.06.08.01.27.34 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 08 Jun 2022 01:27:34 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=Du9208aL; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 18D1C1DF840; Wed, 8 Jun 2022 00:57:06 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1358148AbiFGUDN (ORCPT + 99 others); Tue, 7 Jun 2022 16:03:13 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35726 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1353812AbiFGTDF (ORCPT ); Tue, 7 Jun 2022 15:03:05 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9291510F37E; Tue, 7 Jun 2022 11:05:15 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 67791B82348; Tue, 7 Jun 2022 18:05:04 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id CCF56C385A5; Tue, 7 Jun 2022 18:05:02 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1654625103; bh=3e3MjhpOnvt1LNai8auIyjHSKvnda4V2yFAqU1f0W3U=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Du9208aLSy+A7cJQlEBQyqtN5pRT/0laQwb+mV7ex8vjdjinJVx8tg1lxdZB5oFuP os3jjmEXOKIcq63wF//vJsyowCAUer+G6hJRICPBJUJ6yY3hnyLnCfkQhP/fs9I2x+ mE0C3MneVp91AidzE6kA+ZwNzrMQDQ1GIxvb2TYc= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Xiaomeng Tong , "Martin K. Petersen" Subject: [PATCH 5.15 565/667] scsi: dc395x: Fix a missing check on list iterator Date: Tue, 7 Jun 2022 19:03:50 +0200 Message-Id: <20220607164951.640440564@linuxfoundation.org> X-Mailer: git-send-email 2.36.1 In-Reply-To: <20220607164934.766888869@linuxfoundation.org> References: <20220607164934.766888869@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-3.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Xiaomeng Tong commit 036a45aa587a10fa2abbd50fbd0f6c4cfc44f69f upstream. The bug is here: p->target_id, p->target_lun); The list iterator 'p' will point to a bogus position containing HEAD if the list is empty or no element is found. This case must be checked before any use of the iterator, otherwise it will lead to an invalid memory access. To fix this bug, add a check. Use a new variable 'iter' as the list iterator, and use the original variable 'p' as a dedicated pointer to point to the found element. Link: https://lore.kernel.org/r/20220414040231.2662-1-xiam0nd.tong@gmail.com Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable@vger.kernel.org Signed-off-by: Xiaomeng Tong Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman --- drivers/scsi/dc395x.c | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) --- a/drivers/scsi/dc395x.c +++ b/drivers/scsi/dc395x.c @@ -3590,10 +3590,19 @@ static struct DeviceCtlBlk *device_alloc #endif if (dcb->target_lun != 0) { /* Copy settings */ - struct DeviceCtlBlk *p; - list_for_each_entry(p, &acb->dcb_list, list) - if (p->target_id == dcb->target_id) + struct DeviceCtlBlk *p = NULL, *iter; + + list_for_each_entry(iter, &acb->dcb_list, list) + if (iter->target_id == dcb->target_id) { + p = iter; break; + } + + if (!p) { + kfree(dcb); + return NULL; + } + dprintkdbg(DBG_1, "device_alloc: <%02i-%i> copy from <%02i-%i>\n", dcb->target_id, dcb->target_lun,