setup_root_hem() reads head->root with list_first_entry() and then
tests the returned pointer against NULL. list_first_entry() never
returns NULL. On an empty list it returns container_of(&head->root,
struct hns_roce_hem_item, list), which equals &head->root because
list is the first member. The -ENOMEM early return is dead code.

If head->root is ever empty here, the aliased root_hem points at
&head->root. root_hem->addr and root_hem->dma_addr then read past
the end of struct hns_roce_hem_head into adjacent memory. The
garbage value is handed to the hardware as a DMA base address.

Use list_first_entry_or_null() so the empty case returns NULL and the
-ENOMEM early return runs.

The same shape has been cleaned up elsewhere, for example in
commit fbb8bc408027 ("net: qed: Remove redundant NULL checks after list_first_entry()"),
commit c708d3fad421 ("crypto: atmel - use list_first_entry_or_null to simplify find_dev"),
and commit 10379171f346 ("ksmbd: use list_first_entry_or_null for opinfo_get_list()").
This hns site was missed by those cleanups.

Signed-off-by: Maoyi Xie <maoyixie.tju@gmail.com>
---
 drivers/infiniband/hw/hns/hns_roce_hem.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/infiniband/hw/hns/hns_roce_hem.c b/drivers/infiniband/hw/hns/hns_roce_hem.c
index e7c9e30ad2d8..12ac9ba6b312 100644
--- a/drivers/infiniband/hw/hns/hns_roce_hem.c
+++ b/drivers/infiniband/hw/hns/hns_roce_hem.c
@@ -1267,8 +1267,8 @@ setup_root_hem(struct hns_roce_dev *hr_dev, struct hns_roce_hem_list *hem_list,
 	int i, total;
 	int ret;
 
-	root_hem = list_first_entry(&head->root,
-				    struct hns_roce_hem_item, list);
+	root_hem = list_first_entry_or_null(&head->root,
+					    struct hns_roce_hem_item, list);
 	if (!root_hem)
 		return -ENOMEM;
 
-- 
2.34.1