The list iterator variable will be a bogus pointer if no break was hit. Dereferencing it could load *any* out-of-bounds/undefined value making it unsafe to use that in the comparision to determine if the specific element was found.
This is fixed by using a separate list iterator variable for the loop and only setting the original variable if a suitable element was found. Then determing if the element was found is simply checking if the variable is set.
Signed-off-by: Jakob Koschel jakobkoschel@gmail.com --- drivers/gpu/drm/nouveau/nvkm/subdev/clk/base.c | 11 +++++++---- drivers/scsi/wd719x.c | 12 ++++++++---- fs/f2fs/segment.c | 9 ++++++--- 3 files changed, 21 insertions(+), 11 deletions(-)
diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/clk/base.c b/drivers/gpu/drm/nouveau/nvkm/subdev/clk/base.c index 57199be082fd..c56cd9e59a66 100644 --- a/drivers/gpu/drm/nouveau/nvkm/subdev/clk/base.c +++ b/drivers/gpu/drm/nouveau/nvkm/subdev/clk/base.c @@ -471,20 +471,23 @@ nvkm_pstate_new(struct nvkm_clk *clk, int idx) static int nvkm_clk_ustate_update(struct nvkm_clk *clk, int req) { - struct nvkm_pstate *pstate; + struct nvkm_pstate *pstate = NULL; + struct nvkm_pstate *tmp; int i = 0;
if (!clk->allow_reclock) return -ENOSYS;
if (req != -1 && req != -2) { - list_for_each_entry(pstate, &clk->states, head) { - if (pstate->pstate == req) + list_for_each_entry(tmp, &clk->states, head) { + if (tmp->pstate == req) { + pstate = tmp; break; + } i++; }
- if (pstate->pstate != req) + if (!pstate) return -EINVAL; req = i; } diff --git a/drivers/scsi/wd719x.c b/drivers/scsi/wd719x.c index 1a7947554581..be270ed8e00d 100644 --- a/drivers/scsi/wd719x.c +++ b/drivers/scsi/wd719x.c @@ -684,11 +684,15 @@ static irqreturn_t wd719x_interrupt(int irq, void *dev_id) case WD719X_INT_SPIDERFAILED: /* was the cmd completed a direct or SCB command? */ if (regs.bytes.OPC == WD719X_CMD_PROCESS_SCB) { - struct wd719x_scb *scb; - list_for_each_entry(scb, &wd->active_scbs, list) - if (SCB_out == scb->phys) + struct wd719x_scb *scb = NULL; + struct wd719x_scb *tmp; + + list_for_each_entry(tmp, &wd->active_scbs, list) + if (SCB_out == tmp->phys) { + scb = tmp; break; - if (SCB_out == scb->phys) + } + if (scb) wd719x_interrupt_SCB(wd, regs, scb); else dev_err(&wd->pdev->dev, "card returned invalid SCB pointer\n"); diff --git a/fs/f2fs/segment.c b/fs/f2fs/segment.c index 1dabc8244083..a3684385e04a 100644 --- a/fs/f2fs/segment.c +++ b/fs/f2fs/segment.c @@ -356,16 +356,19 @@ void f2fs_drop_inmem_page(struct inode *inode, struct page *page) struct f2fs_sb_info *sbi = F2FS_I_SB(inode); struct list_head *head = &fi->inmem_pages; struct inmem_pages *cur = NULL; + struct inmem_pages *tmp;
f2fs_bug_on(sbi, !page_private_atomic(page));
mutex_lock(&fi->inmem_lock); - list_for_each_entry(cur, head, list) { - if (cur->page == page) + list_for_each_entry(tmp, head, list) { + if (tmp->page == page) { + cur = tmp; break; + } }
- f2fs_bug_on(sbi, list_empty(head) || cur->page != page); + f2fs_bug_on(sbi, !cur); list_del(&cur->list); mutex_unlock(&fi->inmem_lock);
-- 2.25.1