[PATCH 5/6] treewide: remove dereference of list iterator after loop body

[PATCH 0/6] Remove usage of list iterator past the loop body · Jakob Koschel <hidden> · 2022-02-28
[PATCH 1/6] drivers: usb: remove usage of list iterator past the loop body · Jakob Koschel <hidden> · 2022-02-28
Re: [PATCH 1/6] drivers: usb: remove usage of list iterator past the loop body · Dan Carpenter <hidden> · 2022-02-28
Re: [PATCH 1/6] drivers: usb: remove usage of list iterator past the loop body · Jakob Koschel <hidden> · 2022-02-28
Re: [PATCH 1/6] drivers: usb: remove usage of list iterator past the loop body · Dan Carpenter <hidden> · 2022-02-28
Re: [PATCH 1/6] drivers: usb: remove usage of list iterator past the loop body · Joe Perches <joe@perches.com> · 2022-02-28
Re: [PATCH 1/6] drivers: usb: remove usage of list iterator past the loop body · Dan Carpenter <hidden> · 2022-03-01
[PATCH 3/6] treewide: fix incorrect use to determine if list is empty · Jakob Koschel <hidden> · 2022-02-28
Re: [PATCH 3/6] treewide: fix incorrect use to determine if list is empty · Dan Carpenter <hidden> · 2022-02-28
[PATCH 4/6] drivers: remove unnecessary use of list iterator variable · Jakob Koschel <hidden> · 2022-02-28
[PATCH 6/6] treewide: remove check of list iterator against head past the loop body · Jakob Koschel <hidden> · 2022-02-28
Re: [PATCH 6/6] treewide: remove check of list iterator against head past the loop body · Dominique Martinet <asmadeus@codewreck.org> · 2022-02-28
Re: [PATCH 6/6] treewide: remove check of list iterator against head past the loop body · Dan Carpenter <hidden> · 2022-02-28
Re: [PATCH 6/6] treewide: remove check of list iterator against head past the loop body · Linus Torvalds <torvalds@linux-foundation.org> · 2022-03-01
Re: [Intel-gfx] [PATCH 6/6] treewide: remove check of list iterator against head past the loop body · Tvrtko Ursulin <hidden> · 2022-03-02
[PATCH 5/6] treewide: remove dereference of list iterator after loop body · Jakob Koschel <hidden> · 2022-02-28
[PATCH 2/6] treewide: remove using list iterator after loop body as a ptr · Jakob Koschel <hidden> · 2022-02-28
Re: [PATCH 2/6] treewide: remove using list iterator after loop body as a ptr · Greg KH <gregkh@linuxfoundation.org> · 2022-02-28
Re: [PATCH 2/6] treewide: remove using list iterator after loop body as a ptr · Jakob Koschel <hidden> · 2022-02-28
Re: [PATCH 2/6] treewide: remove using list iterator after loop body as a ptr · Greg KH <gregkh@linuxfoundation.org> · 2022-03-01
Re: [PATCH 2/6] treewide: remove using list iterator after loop body as a ptr · Christian König <christian.koenig@amd.com> · 2022-02-28
Re: [PATCH 2/6] treewide: remove using list iterator after loop body as a ptr · Linus Torvalds <torvalds@linux-foundation.org> · 2022-02-28
Re: [PATCH 2/6] treewide: remove using list iterator after loop body as a ptr · Linus Torvalds <torvalds@linux-foundation.org> · 2022-02-28
Re: [PATCH 2/6] treewide: remove using list iterator after loop body as a ptr · Linus Torvalds <torvalds@linux-foundation.org> · 2022-02-28
Re: [PATCH 2/6] treewide: remove using list iterator after loop body as a ptr · Linus Torvalds <torvalds@linux-foundation.org> · 2022-02-28
Re: [PATCH 2/6] treewide: remove using list iterator after loop body as a ptr · Segher Boessenkool <hidden> · 2022-02-28
Re: [PATCH 2/6] treewide: remove using list iterator after loop body as a ptr · Matthew Wilcox <willy@infradead.org> · 2022-02-28
Re: [PATCH 2/6] treewide: remove using list iterator after loop body as a ptr · Johannes Berg <johannes@sipsolutions.net> · 2022-02-28
Re: [PATCH 2/6] treewide: remove using list iterator after loop body as a ptr · Linus Torvalds <torvalds@linux-foundation.org> · 2022-02-28
Re: [PATCH 2/6] treewide: remove using list iterator after loop body as a ptr · Linus Torvalds <torvalds@linux-foundation.org> · 2022-02-28
Re: [PATCH 2/6] treewide: remove using list iterator after loop body as a ptr · Matthew Wilcox <willy@infradead.org> · 2022-02-28
Re: [PATCH 2/6] treewide: remove using list iterator after loop body as a ptr · Linus Torvalds <torvalds@linux-foundation.org> · 2022-03-01
Re: [PATCH 2/6] treewide: remove using list iterator after loop body as a ptr · Linus Torvalds <torvalds@linux-foundation.org> · 2022-03-01
Re: [PATCH 2/6] treewide: remove using list iterator after loop body as a ptr · Kees Cook <hidden> · 2022-03-01
Re: [PATCH 2/6] treewide: remove using list iterator after loop body as a ptr · Linus Torvalds <torvalds@linux-foundation.org> · 2022-03-01
Re: [PATCH 2/6] treewide: remove using list iterator after loop body as a ptr · Matthew Wilcox <willy@infradead.org> · 2022-03-01
RE: [PATCH 2/6] treewide: remove using list iterator after loop body as a ptr · David Laight <hidden> · 2022-03-01
Re: [PATCH 2/6] treewide: remove using list iterator after loop body as a ptr · Jakob Koschel <hidden> · 2022-02-28
Re: [PATCH 2/6] treewide: remove using list iterator after loop body as a ptr · Linus Torvalds <torvalds@linux-foundation.org> · 2022-03-01
Re: [PATCH 2/6] treewide: remove using list iterator after loop body as a ptr · Jakub Kicinski <kuba@kernel.org> · 2022-03-01
Re: [PATCH 2/6] treewide: remove using list iterator after loop body as a ptr · Jakob Koschel <hidden> · 2022-03-01
Re: [PATCH 2/6] treewide: remove using list iterator after loop body as a ptr · Greg KH <hidden> · 2022-03-01
Re: [PATCH 2/6] treewide: remove using list iterator after loop body as a ptr · Jakob Koschel <hidden> · 2022-03-01
Re: [PATCH 2/6] treewide: remove using list iterator after loop body as a ptr · Greg KH <hidden> · 2022-03-01
Re: [PATCH 2/6] treewide: remove using list iterator after loop body as a ptr · Kees Cook <hidden> · 2022-03-01
Re: [PATCH 2/6] treewide: remove using list iterator after loop body as a ptr · Xiaomeng Tong <hidden> · 2022-03-02
RE: [PATCH 2/6] treewide: remove using list iterator after loop body as a ptr · David Laight <hidden> · 2022-03-02
RE: [PATCH 2/6] treewide: remove using list iterator after loop body as a ptr · Xiaomeng Tong <hidden> · 2022-03-03
RE: [PATCH 2/6] treewide: remove using list iterator after loop body as a ptr · David Laight <hidden> · 2022-03-03
RE: [PATCH 2/6] treewide: remove using list iterator after loop body as a ptr · Xiaomeng Tong <hidden> · 2022-03-03
RE: [PATCH 2/6] treewide: remove using list iterator after loop body as a ptr · David Laight <hidden> · 2022-03-03
RE: [PATCH 2/6] treewide: remove using list iterator after loop body as a ptr · Xiaomeng Tong <hidden> · 2022-03-03
Re: [Kgdb-bugreport] [PATCH 2/6] treewide: remove using list iterator after loop body as a ptr · Daniel Thompson <hidden> · 2022-03-03
Re: [PATCH 2/6] treewide: remove using list iterator after loop body as a ptr · Xiaomeng Tong <hidden> · 2022-03-04
Re: [PATCH 2/6] treewide: remove using list iterator after loop body as a ptr · Jakob Koschel <hidden> · 2022-03-03
Re: [PATCH 2/6] treewide: remove using list iterator after loop body as a ptr · Xiaomeng Tong <hidden> · 2022-03-03
Re: [PATCH 2/6] treewide: remove using list iterator after loop body as a ptr · Xiaomeng Tong <hidden> · 2022-03-03
Re: [PATCH 2/6] treewide: remove using list iterator after loop body as a ptr · Christian König <christian.koenig@amd.com> · 2022-02-28
Re: [PATCH 2/6] treewide: remove using list iterator after loop body as a ptr · James Bottomley <James.Bottomley@HansenPartnership.com> · 2022-02-28
Re: [PATCH 2/6] treewide: remove using list iterator after loop body as a ptr · Christian König <christian.koenig@amd.com> · 2022-02-28
Re: [PATCH 2/6] treewide: remove using list iterator after loop body as a ptr · James Bottomley <James.Bottomley@HansenPartnership.com> · 2022-02-28
Re: [PATCH 2/6] treewide: remove using list iterator after loop body as a ptr · Christian König <christian.koenig@amd.com> · 2022-03-01
Re: [PATCH 2/6] treewide: remove using list iterator after loop body as a ptr · Jakob Koschel <hidden> · 2022-02-28
Re: [PATCH 2/6] treewide: remove using list iterator after loop body as a ptr · Jeffrey Walton <hidden> · 2022-02-28
Re: [PATCH 2/6] treewide: remove using list iterator after loop body as a ptr · Mike Rapoport <rppt@kernel.org> · 2022-02-28
Re: [PATCH 2/6] treewide: remove using list iterator after loop body as a ptr · James Bottomley <James.Bottomley@HansenPartnership.com> · 2022-02-28
Re: [PATCH 2/6] treewide: remove using list iterator after loop body as a ptr · Barnabás Pőcze <hidden> · 2022-02-28
Re: [PATCH 2/6] treewide: remove using list iterator after loop body as a ptr · Segher Boessenkool <hidden> · 2022-03-01
Re: [PATCH 2/6] treewide: remove using list iterator after loop body as a ptr · Linus Torvalds <torvalds@linux-foundation.org> · 2022-03-01
Re: [PATCH 2/6] treewide: remove using list iterator after loop body as a ptr · Linus Torvalds <torvalds@linux-foundation.org> · 2022-03-01
Re: [PATCH 2/6] treewide: remove using list iterator after loop body as a ptr · Linus Torvalds <torvalds@linux-foundation.org> · 2022-03-01
RE: [PATCH 2/6] treewide: remove using list iterator after loop body as a ptr · David Laight <hidden> · 2022-03-01
Re: [PATCH 2/6] treewide: remove using list iterator after loop body as a ptr · Linus Torvalds <torvalds@linux-foundation.org> · 2022-03-01
RE: [PATCH 2/6] treewide: remove using list iterator after loop body as a ptr · David Laight <hidden> · 2022-03-01
Re: [PATCH 2/6] treewide: remove using list iterator after loop body as a ptr · Linus Torvalds <torvalds@linux-foundation.org> · 2022-03-01
Re: [PATCH 2/6] treewide: remove using list iterator after loop body as a ptr · Rasmus Villemoes <linux@rasmusvillemoes.dk> · 2022-03-02
Re: [PATCH 2/6] treewide: remove using list iterator after loop body as a ptr · Kees Cook <hidden> · 2022-03-02
Re: [PATCH 2/6] treewide: remove using list iterator after loop body as a ptr · Linus Torvalds <torvalds@linux-foundation.org> · 2022-03-02
Re: [PATCH 2/6] treewide: remove using list iterator after loop body as a ptr · Kees Cook <hidden> · 2022-03-02
Re: [PATCH 2/6] treewide: remove using list iterator after loop body as a ptr · Dan Carpenter <hidden> · 2022-03-03
Re: [PATCH 2/6] treewide: remove using list iterator after loop body as a ptr · Dan Carpenter <hidden> · 2022-03-03
RE: [PATCH 2/6] treewide: remove using list iterator after loop body as a ptr · David Laight <hidden> · 2022-03-01
Re: [PATCH 2/6] treewide: remove using list iterator after loop body as a ptr · Dan Carpenter <hidden> · 2022-02-28
Re: [PATCH 0/6] Remove usage of list iterator past the loop body · Dan Carpenter <hidden> · 2022-03-07
RE: [PATCH 0/6] Remove usage of list iterator past the loop body · David Laight <hidden> · 2022-03-07

STALE1550d

From: Jakob Koschel <hidden>
Date: 2022-02-28 11:09:53
Also in: alsa-devel, amd-gfx, dmaengine, dri-devel, intel-gfx, intel-wired-lan, kvm, linux-arch, linux-aspeed, linux-block, linux-cifs, linux-crypto, linux-f2fs-devel, linux-fsdevel, linux-iio, linux-media, linux-mediatek, linux-pm, linux-rdma, linux-scsi, linux-staging, linux-tegra, linux-usb, linux-wireless, lkml, netdev, nouveau
Subsystem: drm driver for nvidia geforce/quadro gpus, drm drivers, drm drivers and misc gpu patches, f2fs file system, filesystems (vfs and infrastructure), scsi subsystem, the rest · Maintainers: Lyude Paul, Danilo Krummrich, David Airlie, Simona Vetter, Maarten Lankhorst, Maxime Ripard, Thomas Zimmermann, Jaegeuk Kim, Chao Yu, Alexander Viro, Christian Brauner, "James E.J. Bottomley", "Martin K. Petersen", Linus Torvalds

The list iterator variable will be a bogus pointer if no break was hit.
Dereferencing it could load *any* out-of-bounds/undefined value
making it unsafe to use that in the comparision to determine if the
specific element was found.

This is fixed by using a separate list iterator variable for the loop
and only setting the original variable if a suitable element was found.
Then determing if the element was found is simply checking if the
variable is set.

Signed-off-by: Jakob Koschel <redacted>
---
 drivers/gpu/drm/nouveau/nvkm/subdev/clk/base.c | 11 +++++++----
 drivers/scsi/wd719x.c                          | 12 ++++++++----
 fs/f2fs/segment.c                              |  9 ++++++---
 3 files changed, 21 insertions(+), 11 deletions(-)

diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/clk/base.c b/drivers/gpu/drm/nouveau/nvkm/subdev/clk/base.c
index 57199be082fd..c56cd9e59a66 100644
--- a/drivers/gpu/drm/nouveau/nvkm/subdev/clk/base.c
+++ b/drivers/gpu/drm/nouveau/nvkm/subdev/clk/base.c

@@ -471,20 +471,23 @@ nvkm_pstate_new(struct nvkm_clk *clk, int idx)
 static int
 nvkm_clk_ustate_update(struct nvkm_clk *clk, int req)
 {
-	struct nvkm_pstate *pstate;
+	struct nvkm_pstate *pstate = NULL;
+	struct nvkm_pstate *tmp;
 	int i = 0;

 	if (!clk->allow_reclock)
 		return -ENOSYS;

 	if (req != -1 && req != -2) {
-		list_for_each_entry(pstate, &clk->states, head) {
-			if (pstate->pstate == req)
+		list_for_each_entry(tmp, &clk->states, head) {
+			if (tmp->pstate == req) {
+				pstate = tmp;
 				break;
+			}
 			i++;
 		}

-		if (pstate->pstate != req)
+		if (!pstate)
 			return -EINVAL;
 		req = i;
 	}

diff --git a/drivers/scsi/wd719x.c b/drivers/scsi/wd719x.c
index 1a7947554581..be270ed8e00d 100644
--- a/drivers/scsi/wd719x.c
+++ b/drivers/scsi/wd719x.c

@@ -684,11 +684,15 @@ static irqreturn_t wd719x_interrupt(int irq, void *dev_id)
 	case WD719X_INT_SPIDERFAILED:
 		/* was the cmd completed a direct or SCB command? */
 		if (regs.bytes.OPC == WD719X_CMD_PROCESS_SCB) {
-			struct wd719x_scb *scb;
-			list_for_each_entry(scb, &wd->active_scbs, list)
-				if (SCB_out == scb->phys)
+			struct wd719x_scb *scb = NULL;
+			struct wd719x_scb *tmp;
+
+			list_for_each_entry(tmp, &wd->active_scbs, list)
+				if (SCB_out == tmp->phys) {
+					scb = tmp;
 					break;
-			if (SCB_out == scb->phys)
+				}
+			if (scb)
 				wd719x_interrupt_SCB(wd, regs, scb);
 			else
 				dev_err(&wd->pdev->dev, "card returned invalid SCB pointer\n");

diff --git a/fs/f2fs/segment.c b/fs/f2fs/segment.c
index 1dabc8244083..a3684385e04a 100644
--- a/fs/f2fs/segment.c
+++ b/fs/f2fs/segment.c

@@ -356,16 +356,19 @@ void f2fs_drop_inmem_page(struct inode *inode, struct page *page)
 	struct f2fs_sb_info *sbi = F2FS_I_SB(inode);
 	struct list_head *head = &fi->inmem_pages;
 	struct inmem_pages *cur = NULL;
+	struct inmem_pages *tmp;

 	f2fs_bug_on(sbi, !page_private_atomic(page));

 	mutex_lock(&fi->inmem_lock);
-	list_for_each_entry(cur, head, list) {
-		if (cur->page == page)
+	list_for_each_entry(tmp, head, list) {
+		if (tmp->page == page) {
+			cur = tmp;
 			break;
+		}
 	}

-	f2fs_bug_on(sbi, list_empty(head) || cur->page != page);
+	f2fs_bug_on(sbi, !cur);
 	list_del(&cur->list);
 	mutex_unlock(&fi->inmem_lock);

--

2.25.1

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help