Received: by 2002:a6b:fb09:0:0:0:0:0 with SMTP id h9csp438049iog;
        Mon, 13 Jun 2022 06:02:20 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJyZVxl3QztWmD/fU2A04msAdupqMepqCwSA5FndhOGKeHZbpcgoxQM4RlJrrpbihYH2g1lu
X-Received: by 2002:a05:6402:201:b0:431:665f:11f1 with SMTP id t1-20020a056402020100b00431665f11f1mr44120966edv.378.1655125340529;
        Mon, 13 Jun 2022 06:02:20 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1655125340; cv=none;
        d=google.com; s=arc-20160816;
        b=RxdZbqp5dkJM/oiVIXIiUqwfPH2d93Rj0km4TzfRJ3l6jT1VyzBHKqBeYr45mzQePs
         pSg9ZejBV9U+h+/WJBK48FmaQn3kW63tA82eSKsYUESOOcPuNIhuuv97M0gpyoCSNt9C
         aLCMpzDAFdZCs5PQgtwiNJrM3A+jcQf6uXComSSIYwjuzzcczTLNMCK6x/nga0pvVE7o
         ug6HhH5BhuybtEVwvhIYtbwOS1M0aaCcbjHlhH1HmeCSjJFfR7v0/OwBctRd5R9Q3dd9
         I2Ei6TZCn/PMECQgG7ITzkQ22ayvG0ozfrR5nHU06zeSTKUBuLbNLcutso5AHfoEwg3C
         Glyg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=OIy2s308MWiRJA6ltClE1cGN5lNy327DB4GM2tR2bUA=;
        b=IjWTNYFaDEjOr7ZERUo9n2VR92HOBlhB9wOEBBcslx7Zowbdqh36T7tmbcn/Pt8X7W
         L41NdK3d6UqJUohk+7bxSK7cDCSzkc9Mc1t5/I/yo9O7IxU9UTzWQG+pDsWArDGJmd4s
         QQ6GmHwP3ybkIdtNz06TcWnkGk9IwatXdJibWcnDLj0tnPqjrTKQDfB+guwMU+/rrbga
         A/ft10/FpSrHP5s9/u1kbcDAc6ACUkrfBJNLtBFvi6aXtwW8XArpN1O+Uk6fIgO8Zpee
         nlJLCyKXj6m+2dc5TjL7SHwtPxfNt1/8wXMj1vh1ylDgHDoBa2PkuJQDr5mAxJklwKa6
         7zFg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=CRBn0z3u;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id nd11-20020a170907628b00b006ff49b183e9si8851415ejc.971.2022.06.13.06.01.55;
        Mon, 13 Jun 2022 06:02:20 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=CRBn0z3u;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S243497AbiFMKZW (ORCPT
        <rfc822;aditya.jainadityajain.jain@gmail.com> + 99 others);
        Mon, 13 Jun 2022 06:25:22 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45656 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S244157AbiFMKXt (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 13 Jun 2022 06:23:49 -0400
Received: from sin.source.kernel.org (sin.source.kernel.org [IPv6:2604:1380:40e1:4800::1])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id ECD5423174;
        Mon, 13 Jun 2022 03:18:09 -0700 (PDT)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by sin.source.kernel.org (Postfix) with ESMTPS id 28F6FCE1167;
        Mon, 13 Jun 2022 10:18:08 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 4260EC34114;
        Mon, 13 Jun 2022 10:18:06 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1655115486;
        bh=RH0MNiGREynDBBlITDYxTVlqFv6UzXOCXc80+4sWsmk=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=CRBn0z3uNyUFcT0WI0Cvi4B8Wwk17gj+difVf2PhV/qb8DX5tW3MIh/c9/19vIHR2
         06khTFL59W/DUAR0dmH24kBeP1FgjDJ5F0cWUpuE/+TjFbzCvwTMb+KOvSAaOy6SjF
         TID/pF5MwQraDUdG20n8mI6ip8HJWmsZj8vHqh7c=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Xiaomeng Tong <xiam0nd.tong@gmail.com>,
        "Martin K. Petersen" <martin.petersen@oracle.com>
Subject: [PATCH 4.9 084/167] scsi: dc395x: Fix a missing check on list iterator
Date:   Mon, 13 Jun 2022 12:09:18 +0200
Message-Id: <20220613094900.583799913@linuxfoundation.org>
X-Mailer: git-send-email 2.36.1
In-Reply-To: <20220613094840.720778945@linuxfoundation.org>
References: <20220613094840.720778945@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-8.3 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI,
        SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham
        autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Xiaomeng Tong <xiam0nd.tong@gmail.com>

commit 036a45aa587a10fa2abbd50fbd0f6c4cfc44f69f upstream.

The bug is here:

	p->target_id, p->target_lun);

The list iterator 'p' will point to a bogus position containing HEAD if the
list is empty or no element is found. This case must be checked before any
use of the iterator, otherwise it will lead to an invalid memory access.

To fix this bug, add a check. Use a new variable 'iter' as the list
iterator, and use the original variable 'p' as a dedicated pointer to point
to the found element.

Link: https://lore.kernel.org/r/20220414040231.2662-1-xiam0nd.tong@gmail.com
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Signed-off-by: Xiaomeng Tong <xiam0nd.tong@gmail.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/scsi/dc395x.c |   15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

--- a/drivers/scsi/dc395x.c
+++ b/drivers/scsi/dc395x.c
@@ -3775,10 +3775,19 @@ static struct DeviceCtlBlk *device_alloc
 #endif
 	if (dcb->target_lun != 0) {
 		/* Copy settings */
-		struct DeviceCtlBlk *p;
-		list_for_each_entry(p, &acb->dcb_list, list)
-			if (p->target_id == dcb->target_id)
+		struct DeviceCtlBlk *p = NULL, *iter;
+
+		list_for_each_entry(iter, &acb->dcb_list, list)
+			if (iter->target_id == dcb->target_id) {
+				p = iter;
 				break;
+			}
+
+		if (!p) {
+			kfree(dcb);
+			return NULL;
+		}
+
 		dprintkdbg(DBG_1, 
 		       "device_alloc: <%02i-%i> copy from <%02i-%i>\n",
 		       dcb->target_id, dcb->target_lun,