From: Jakob Koschel <jakobkoschel@gmail.com>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Jakob Koschel <jakobkoschel@gmail.com>,
linux-arch <linux-arch@vger.kernel.org>,
Thomas Gleixner <tglx@linutronix.de>,
Arnd Bergman <arnd@arndb.de>,
"Andy Shevchenko" <andriy.shevchenko@linux.intel.com>,
Andrew Morton <akpm@linux-foundation.org>,
Kees Cook <keescook@chromium.org>,
Mike Rapoport <rppt@kernel.org>,
"Gustavo A. R. Silva" <gustavo@embeddedor.com>,
"Brian Johannesmeyer" <bjohannesmeyer@gmail.com>,
Cristiano Giuffrida <c.giuffrida@vu.nl>,
"Bos, H.J." <h.j.bos@vu.nl>,
Christophe JAILLET <christophe.jaillet@wanadoo.fr>,
Dan Carpenter <dan.carpenter@oracle.com>,
Jason Gunthorpe <jgg@ziepe.ca>,
Rasmus Villemoes <linux@rasmusvillemoes.dk>,
Nathan Chancellor <nathan@kernel.org>,
linux-arm-kernel@lists.infradead.org,
linux-kernel@vger.kernel.org, linuxppc-dev@lists.ozlabs.org,
linux-sgx@vger.kernel.org, drbd-dev@lists.linbit.com,
linux-block@vger.kernel.org, linux-iio@vger.kernel.org,
linux-crypto@vger.kernel.org, dmaengine@vger.kernel.org,
linux1394-devel@lists.sourceforge.net,
amd-gfx@lists.freedesktop.org, dri-devel@lists.freedesktop.org,
intel-gfx@lists.freedesktop.org, nouveau@lists.freedesktop.org,
linux-rdma@vger.kernel.org, linux-media@vger.kernel.org,
intel-wired-lan@lists.osuosl.org, netdev@vger.kernel.org,
linux-wireless@vger.kernel.org, linux-pm@vger.kernel.org,
linux-scsi@vger.kernel.org, linux-staging@lists.linux.dev,
linux-usb@vger.kernel.org, linux-aspeed@lists.ozlabs.org,
bcm-kernel-feedback-list@broadcom.com,
linux-tegra@vger.kernel.org, linux-mediatek@lists.infradead.org,
kvm@vger.kernel.org, linux-cifs@vger.kernel.org,
samba-technical@lists.samba.org,
linux-f2fs-devel@lists.sourceforge.net,
linux-fsdevel@vger.kernel.org,
kgdb-bugreport@lists.sourceforge.net,
v9fs-developer@lists.sourceforge.net,
tipc-discussion@lists.sourceforge.net,
alsa-devel@alsa-project.org
Subject: [PATCH 5/6] treewide: remove dereference of list iterator after loop body
Date: Mon, 28 Feb 2022 12:08:21 +0100 [thread overview]
Message-ID: <20220228110822.491923-6-jakobkoschel@gmail.com> (raw)
In-Reply-To: <20220228110822.491923-1-jakobkoschel@gmail.com>
The list iterator variable will be a bogus pointer if no break was hit.
Dereferencing it could load *any* out-of-bounds/undefined value
making it unsafe to use that in the comparision to determine if the
specific element was found.
This is fixed by using a separate list iterator variable for the loop
and only setting the original variable if a suitable element was found.
Then determing if the element was found is simply checking if the
variable is set.
Signed-off-by: Jakob Koschel <jakobkoschel@gmail.com>
---
drivers/gpu/drm/nouveau/nvkm/subdev/clk/base.c | 11 +++++++----
drivers/scsi/wd719x.c | 12 ++++++++----
fs/f2fs/segment.c | 9 ++++++---
3 files changed, 21 insertions(+), 11 deletions(-)
diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/clk/base.c b/drivers/gpu/drm/nouveau/nvkm/subdev/clk/base.c
index 57199be082fd..c56cd9e59a66 100644
--- a/drivers/gpu/drm/nouveau/nvkm/subdev/clk/base.c
+++ b/drivers/gpu/drm/nouveau/nvkm/subdev/clk/base.c
@@ -471,20 +471,23 @@ nvkm_pstate_new(struct nvkm_clk *clk, int idx)
static int
nvkm_clk_ustate_update(struct nvkm_clk *clk, int req)
{
- struct nvkm_pstate *pstate;
+ struct nvkm_pstate *pstate = NULL;
+ struct nvkm_pstate *tmp;
int i = 0;
if (!clk->allow_reclock)
return -ENOSYS;
if (req != -1 && req != -2) {
- list_for_each_entry(pstate, &clk->states, head) {
- if (pstate->pstate == req)
+ list_for_each_entry(tmp, &clk->states, head) {
+ if (tmp->pstate == req) {
+ pstate = tmp;
break;
+ }
i++;
}
- if (pstate->pstate != req)
+ if (!pstate)
return -EINVAL;
req = i;
}
diff --git a/drivers/scsi/wd719x.c b/drivers/scsi/wd719x.c
index 1a7947554581..be270ed8e00d 100644
--- a/drivers/scsi/wd719x.c
+++ b/drivers/scsi/wd719x.c
@@ -684,11 +684,15 @@ static irqreturn_t wd719x_interrupt(int irq, void *dev_id)
case WD719X_INT_SPIDERFAILED:
/* was the cmd completed a direct or SCB command? */
if (regs.bytes.OPC == WD719X_CMD_PROCESS_SCB) {
- struct wd719x_scb *scb;
- list_for_each_entry(scb, &wd->active_scbs, list)
- if (SCB_out == scb->phys)
+ struct wd719x_scb *scb = NULL;
+ struct wd719x_scb *tmp;
+
+ list_for_each_entry(tmp, &wd->active_scbs, list)
+ if (SCB_out == tmp->phys) {
+ scb = tmp;
break;
- if (SCB_out == scb->phys)
+ }
+ if (scb)
wd719x_interrupt_SCB(wd, regs, scb);
else
dev_err(&wd->pdev->dev, "card returned invalid SCB pointer\n");
diff --git a/fs/f2fs/segment.c b/fs/f2fs/segment.c
index 1dabc8244083..a3684385e04a 100644
--- a/fs/f2fs/segment.c
+++ b/fs/f2fs/segment.c
@@ -356,16 +356,19 @@ void f2fs_drop_inmem_page(struct inode *inode, struct page *page)
struct f2fs_sb_info *sbi = F2FS_I_SB(inode);
struct list_head *head = &fi->inmem_pages;
struct inmem_pages *cur = NULL;
+ struct inmem_pages *tmp;
f2fs_bug_on(sbi, !page_private_atomic(page));
mutex_lock(&fi->inmem_lock);
- list_for_each_entry(cur, head, list) {
- if (cur->page == page)
+ list_for_each_entry(tmp, head, list) {
+ if (tmp->page == page) {
+ cur = tmp;
break;
+ }
}
- f2fs_bug_on(sbi, list_empty(head) || cur->page != page);
+ f2fs_bug_on(sbi, !cur);
list_del(&cur->list);
mutex_unlock(&fi->inmem_lock);
--
2.25.1
next prev parent reply other threads:[~2022-02-28 11:09 UTC|newest]
Thread overview: 85+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-02-28 11:08 [PATCH 0/6] Remove usage of list iterator past the loop body Jakob Koschel
2022-02-28 11:08 ` [PATCH 1/6] drivers: usb: remove " Jakob Koschel
2022-02-28 11:24 ` Dan Carpenter
2022-02-28 12:03 ` Jakob Koschel
2022-02-28 13:18 ` Dan Carpenter
2022-02-28 18:20 ` Joe Perches
2022-03-01 5:52 ` Dan Carpenter
2022-02-28 11:08 ` [PATCH 2/6] treewide: remove using list iterator after loop body as a ptr Jakob Koschel
2022-02-28 11:20 ` Greg KH
2022-02-28 12:06 ` Jakob Koschel
2022-03-01 17:37 ` Greg KH
2022-02-28 12:19 ` Christian König
2022-02-28 19:56 ` Linus Torvalds
2022-02-28 20:03 ` Linus Torvalds
2022-02-28 20:10 ` Linus Torvalds
2022-02-28 20:14 ` Linus Torvalds
2022-02-28 20:53 ` Segher Boessenkool
2022-02-28 20:16 ` Matthew Wilcox
2022-02-28 20:27 ` Johannes Berg
2022-02-28 20:41 ` Linus Torvalds
2022-02-28 20:37 ` Linus Torvalds
2022-02-28 23:26 ` Matthew Wilcox
2022-03-01 0:45 ` Linus Torvalds
2022-03-01 0:57 ` Linus Torvalds
2022-03-01 18:14 ` Kees Cook
2022-03-01 18:47 ` Linus Torvalds
2022-03-01 19:01 ` Matthew Wilcox
2022-03-01 3:03 ` David Laight
2022-02-28 21:47 ` Jakob Koschel
2022-03-01 0:41 ` Linus Torvalds
2022-03-01 6:32 ` Jakub Kicinski
2022-03-01 11:28 ` Jakob Koschel
2022-03-01 17:36 ` Greg KH
2022-03-01 17:40 ` Jakob Koschel
2022-03-01 17:58 ` Greg KH
2022-03-01 18:21 ` Kees Cook
2022-03-02 9:31 ` Xiaomeng Tong
2022-03-02 14:04 ` David Laight
2022-03-03 2:27 ` Xiaomeng Tong
2022-03-03 4:58 ` David Laight
2022-03-03 7:26 ` Xiaomeng Tong
2022-03-03 9:30 ` David Laight
2022-03-03 12:37 ` Xiaomeng Tong
2022-03-03 12:18 ` [Kgdb-bugreport] " Daniel Thompson
2022-03-04 6:59 ` Xiaomeng Tong
2022-03-03 7:32 ` Jakob Koschel
2022-03-03 8:30 ` Xiaomeng Tong
2022-03-03 8:38 ` Xiaomeng Tong
2022-02-28 20:07 ` Christian König
2022-02-28 20:42 ` James Bottomley
2022-02-28 20:56 ` Christian König
2022-02-28 21:13 ` James Bottomley
2022-03-01 7:03 ` Christian König
2022-02-28 22:05 ` Jakob Koschel
2022-02-28 21:18 ` Jeffrey Walton
2022-02-28 21:59 ` Mike Rapoport
2022-02-28 22:28 ` James Bottomley
2022-02-28 22:50 ` Barnabás Pőcze
2022-03-01 0:30 ` Segher Boessenkool
2022-03-01 0:54 ` Linus Torvalds
2022-03-01 19:06 ` Linus Torvalds
2022-03-01 19:42 ` Linus Torvalds
2022-03-01 22:58 ` David Laight
2022-03-01 23:03 ` Linus Torvalds
2022-03-01 23:19 ` David Laight
2022-03-01 23:55 ` Linus Torvalds
2022-03-02 9:29 ` Rasmus Villemoes
2022-03-02 20:07 ` Kees Cook
2022-03-02 20:18 ` Linus Torvalds
2022-03-02 20:59 ` Kees Cook
2022-03-03 8:37 ` Dan Carpenter
2022-03-03 10:56 ` Dan Carpenter
2022-03-01 2:15 ` David Laight
2022-02-28 13:13 ` Dan Carpenter
2022-02-28 11:08 ` [PATCH 3/6] treewide: fix incorrect use to determine if list is empty Jakob Koschel
2022-02-28 11:38 ` Dan Carpenter
2022-02-28 11:08 ` [PATCH 4/6] drivers: remove unnecessary use of list iterator variable Jakob Koschel
2022-02-28 11:08 ` Jakob Koschel [this message]
2022-02-28 11:08 ` [PATCH 6/6] treewide: remove check of list iterator against head past the loop body Jakob Koschel
2022-02-28 13:12 ` Dan Carpenter
2022-03-01 20:36 ` Linus Torvalds
2022-03-02 17:14 ` [Intel-gfx] " Tvrtko Ursulin
2022-03-07 15:00 ` [PATCH 0/6] Remove usage of list iterator " Dan Carpenter
2022-03-07 15:26 ` David Laight
2022-03-07 19:15 ` Linus Torvalds
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220228110822.491923-6-jakobkoschel@gmail.com \
--to=jakobkoschel@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=alsa-devel@alsa-project.org \
--cc=amd-gfx@lists.freedesktop.org \
--cc=andriy.shevchenko@linux.intel.com \
--cc=arnd@arndb.de \
--cc=bcm-kernel-feedback-list@broadcom.com \
--cc=bjohannesmeyer@gmail.com \
--cc=c.giuffrida@vu.nl \
--cc=christophe.jaillet@wanadoo.fr \
--cc=dan.carpenter@oracle.com \
--cc=dmaengine@vger.kernel.org \
--cc=drbd-dev@lists.linbit.com \
--cc=dri-devel@lists.freedesktop.org \
--cc=gustavo@embeddedor.com \
--cc=h.j.bos@vu.nl \
--cc=intel-gfx@lists.freedesktop.org \
--cc=intel-wired-lan@lists.osuosl.org \
--cc=jgg@ziepe.ca \
--cc=keescook@chromium.org \
--cc=kgdb-bugreport@lists.sourceforge.net \
--cc=kvm@vger.kernel.org \
--cc=linux-arch@vger.kernel.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-aspeed@lists.ozlabs.org \
--cc=linux-block@vger.kernel.org \
--cc=linux-cifs@vger.kernel.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-f2fs-devel@lists.sourceforge.net \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-iio@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-media@vger.kernel.org \
--cc=linux-mediatek@lists.infradead.org \
--cc=linux-pm@vger.kernel.org \
--cc=linux-rdma@vger.kernel.org \
--cc=linux-scsi@vger.kernel.org \
--cc=linux-sgx@vger.kernel.org \
--cc=linux-staging@lists.linux.dev \
--cc=linux-tegra@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
--cc=linux1394-devel@lists.sourceforge.net \
--cc=linux@rasmusvillemoes.dk \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=nathan@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=nouveau@lists.freedesktop.org \
--cc=rppt@kernel.org \
--cc=samba-technical@lists.samba.org \
--cc=tglx@linutronix.de \
--cc=tipc-discussion@lists.sourceforge.net \
--cc=torvalds@linux-foundation.org \
--cc=v9fs-developer@lists.sourceforge.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).