From nobody Mon May 11 04:52:14 2026
Return-Path: <linux-kernel-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by smtp.lore.kernel.org (Postfix) with ESMTP id C8B0BC433EF
	for <linux-kernel@archiver.kernel.org>; Thu, 14 Apr 2022 03:56:21 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S239787AbiDND6n (ORCPT <rfc822;linux-kernel@archiver.kernel.org>);
        Wed, 13 Apr 2022 23:58:43 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57304 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229549AbiDND6j (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 13 Apr 2022 23:58:39 -0400
Received: from mail-pf1-x433.google.com (mail-pf1-x433.google.com
 [IPv6:2607:f8b0:4864:20::433])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A5A011EAD3;
        Wed, 13 Apr 2022 20:56:16 -0700 (PDT)
Received: by mail-pf1-x433.google.com with SMTP id bo5so3754623pfb.4;
        Wed, 13 Apr 2022 20:56:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20210112;
        h=from:to:cc:subject:date:message-id;
        bh=6JqFeh4navCAkj5rFbxKZvKaVnUhQSiW3dMCYFISCQ0=;
        b=qA2StoYwKpYFkG4qBYg96eNsK1abtI4aeNFwNiyNnZL8nfFcfVSXduu/NoTlmzrkPn
         cMIR+H0kgy/XVbdC80vUY+DJAw0J05HbljoF6a6oKLw3rFDefujzna6GnnY+cXEUDan8
         TSiRr9mdhbYrs7I2XbVwwOHZ7L2tbDr26JlbSvH+YeCBloaiqEYgs9IN2+SHpUUda7t3
         QD2F+MCYgBxdC8cCH8WQ4u2WzQnNoF/baJZDT9IOaDyfmwbR78Z24btf/TLbFjJzD5eh
         vTadunXo1Ob0/LcyLdyXoKIijzCKI1qS0q3G1KctL0kjUD3wk2fk/BxzWizGNmD78snh
         sxWQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:from:to:cc:subject:date:message-id;
        bh=6JqFeh4navCAkj5rFbxKZvKaVnUhQSiW3dMCYFISCQ0=;
        b=okfTeKXXY1hllGhlez7NK0yV1Eg75ukz2IZ0qOrhW0pamOYVWmmCWyOSI0PRC1zpfq
         KRbCx7SLHAy4Df7C6MnYIiffuPxs9XJ6Ye6REP6Yl6Ar6MclJ3jyQYhLqQVgOjJASIvB
         vCXJT1NDvU5qsWTT/3go26fmht2w51ijo1OfWrhX7QDiHaHWijxNENepvWLnqORxxoAN
         h3Qgt+c0SDJj+7a1L7Sa5z2Fu+0iAA9WUWlMtVQaOWHwB0dhbgwJ+2PdLXPuQdetgQtX
         Ngp9YMASxcoK1CRAXCywPN7wD3mGdu9TrtF2GwjvkglohFBplaYoQ5DmEecGOOU4+fZs
         p0bg==
X-Gm-Message-State: AOAM530bkGpbhN1kAJVPbfAWT2IiWGvL+GtczA0JT9LM94xdQDSgTukq
        i/A5t5qOh+JucVCHEcu3M8Y=
X-Google-Smtp-Source: 
 ABdhPJwamlC67c0gDpeV3po1lICPHaYXmM3aTTHLaNXps5ULDTMUFYVt53myWkTCiI7YtEuBQIZ3EQ==
X-Received: by 2002:a62:1714:0:b0:505:fbff:fe8e with SMTP id
 20-20020a621714000000b00505fbfffe8emr11808137pfx.49.1649908576148;
        Wed, 13 Apr 2022 20:56:16 -0700 (PDT)
Received: from localhost.localdomain ([119.3.119.18])
        by smtp.googlemail.com with ESMTPSA id
 u22-20020a17090a891600b001cd498dc152sm622918pjn.2.2022.04.13.20.56.13
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 13 Apr 2022 20:56:15 -0700 (PDT)
From: Xiaomeng Tong <xiam0nd.tong@gmail.com>
To: dinguyen@kernel.org
Cc: gregkh@linuxfoundation.org, richard.gong@intel.com,
        atull@kernel.org, linux-kernel@vger.kernel.org,
        Xiaomeng Tong <xiam0nd.tong@gmail.com>, stable@vger.kernel.org
Subject: [RESEND][PATCH] firmware: stratix10-svc: fix a missing check on list
 iterator
Date: Thu, 14 Apr 2022 11:56:09 +0800
Message-Id: <20220414035609.2239-1-xiam0nd.tong@gmail.com>
X-Mailer: git-send-email 2.17.1
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"

The bug is here:
	pmem->vaddr =3D NULL;

The list iterator 'pmem' will point to a bogus position containing
HEAD if the list is empty or no element is found. This case must
be checked before any use of the iterator, otherwise it will
lead to a invalid memory access.

To fix this bug, just gen_pool_free/set NULL/list_del() and return
when found, otherwise list_del HEAD and return;

Cc: stable@vger.kernel.org
Fixes: 7ca5ce896524f ("firmware: add Intel Stratix10 service layer driver")
Signed-off-by: Xiaomeng Tong <xiam0nd.tong@gmail.com>
Acked-by: Dinh Nguyen <dinguyen@kernel.org>
---
 drivers/firmware/stratix10-svc.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/drivers/firmware/stratix10-svc.c b/drivers/firmware/stratix10-=
svc.c
index 29c0a616b317..30093aa82b7f 100644
--- a/drivers/firmware/stratix10-svc.c
+++ b/drivers/firmware/stratix10-svc.c
@@ -941,17 +941,17 @@ EXPORT_SYMBOL_GPL(stratix10_svc_allocate_memory);
 void stratix10_svc_free_memory(struct stratix10_svc_chan *chan, void *kadd=
r)
 {
 	struct stratix10_svc_data_mem *pmem;
-	size_t size =3D 0;
=20
 	list_for_each_entry(pmem, &svc_data_mem, node)
 		if (pmem->vaddr =3D=3D kaddr) {
-			size =3D pmem->size;
-			break;
+			gen_pool_free(chan->ctrl->genpool,
+				       (unsigned long)kaddr, pmem->size);
+			pmem->vaddr =3D NULL;
+			list_del(&pmem->node);
+			return;
 		}
=20
-	gen_pool_free(chan->ctrl->genpool, (unsigned long)kaddr, size);
-	pmem->vaddr =3D NULL;
-	list_del(&pmem->node);
+	list_del(&svc_data_mem);
 }
 EXPORT_SYMBOL_GPL(stratix10_svc_free_memory);
=20
--=20
2.17.1