staging: vchiq: Fix list_for_each exit tests

After a list_for_each_entry() loop, the list iterator is always non-NULL so these conditions don't work. If the "waiter" is not found then this results in an out of bounds access. I have fixed it by introducing a new "found" variable. In one case, I used an else statement for readability. Fixes: 46e4b9ec ("staging: vchiq_arm: use list_for_each_entry when accessing bulk_waiter_list") Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Link: https://lore.kernel.org/r/20201006134748.GA2076872@mwandaSigned-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

staging: vchiq: Fix list_for_each exit tests
After a list_for_each_entry() loop, the list iterator is always non-NULL so these conditions don't work. If the "waiter" is not found then this results in an out of bounds access. I have fixed it by introducing a new "found" variable. In one case, I used an else statement for readability. Fixes: 46e4b9ec ("staging: vchiq_arm: use list_for_each_entry when accessing bulk_waiter_list") Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Link: https://lore.kernel.org/r/20201006134748.GA2076872@mwandaSigned-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
8750de90 · Dan Carpenter · Greg Kroah-Hartman · 6c75a92a · 8750de90
Commit 8750de90 authored Oct 06, 2020 by Dan Carpenter Committed by Greg Kroah-Hartman Oct 06, 2020
Hide whitespace changes
Inline Side-by-side

Showing with 7 additions and 5 deletions

drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c ...ers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c +7 -5

No files found.
--- a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c
+++ b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c
@@ -432,6 +432,7 @@ vchiq_blocking_bulk_transfer(unsigned int handle, void *data,
 	struct vchiq_service *service;
 	enum vchiq_status status;
 	struct bulk_waiter_node *waiter = NULL;
+	bool found = false;
 	service = find_service_by_handle(handle);
 	if (!service)
@@ -445,12 +446,13 @@ vchiq_blocking_bulk_transfer(unsigned int handle, void *data,
 	list_for_each_entry(waiter, &instance->bulk_waiter_list, list) {
 		if (waiter->pid == current->pid) {
 			list_del(&waiter->list);
+			found = true;
 			break;
 		}
 	}
 	mutex_unlock(&instance->bulk_waiter_list_mutex);
-	if (waiter) {
+	if (found) {
 		struct vchiq_bulk *bulk = waiter->bulk_waiter.bulk;
 		if (bulk) {
@@ -467,9 +469,7 @@ vchiq_blocking_bulk_transfer(unsigned int handle, void *data,
 				spin_unlock(&bulk_waiter_spinlock);
 			}
 		}
-	}
+	} else {
-	if (!waiter) {
 		waiter = kzalloc(sizeof(struct bulk_waiter_node), GFP_KERNEL);
 		if (!waiter) {
 			vchiq_log_error(vchiq_core_log_level,
@@ -952,6 +952,7 @@ static int vchiq_irq_queue_bulk_tx_rx(struct vchiq_instance *instance,
 {
 	struct vchiq_service *service;
 	struct bulk_waiter_node *waiter = NULL;
+	bool found = false;
 	void *userdata = NULL;
 	int status = 0;
 	int ret;
@@ -975,11 +976,12 @@ static int vchiq_irq_queue_bulk_tx_rx(struct vchiq_instance *instance,
 				    list) {
 			if (waiter->pid == current->pid) {
 				list_del(&waiter->list);
+				found = true;
 				break;
 			}
 		}
 		mutex_unlock(&instance->bulk_waiter_list_mutex);
-		if (!waiter) {
+		if (!found) {
 			vchiq_log_error(vchiq_arm_log_level,
 				"no bulk_waiter found for pid %d",
 				current->pid);