From: Jakob Koschel <jakobkoschel@xxxxxxxxx> [ Upstream commit 36f4c25ce32ed8a2e6304ebee6246b7f0b3b9a6f ] If the list does not contain the expected element, the value of list_for_each_entry() iterator will not point to a valid structure. To avoid type confusion in such case, the list iterator scope will be limited to list_for_each_entry() loop. In preparation to limiting scope of a list iterator to the list traversal loop, use a dedicated pointer to point to the found element [1]. Determining if an element was found is then simply checking if the pointer is != NULL instead of using the potentially bogus pointer. Link: https://lore.kernel.org/all/YhdfEIwI4EdtHdym@xxxxxxxxx/ Signed-off-by: Jakob Koschel <jakobkoschel@xxxxxxxxx> Link: https://lore.kernel.org/r/20220308171818.384491-18-jakobkoschel@xxxxxxxxx Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> Stable-dep-of: 89e7252d6c7e ("usb: gadget: configfs: Restrict symlink creation is UDC already binded") Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx> --- drivers/usb/gadget/configfs.c | 24 ++++++++++++++---------- 1 file changed, 14 insertions(+), 10 deletions(-) diff --git a/drivers/usb/gadget/configfs.c b/drivers/usb/gadget/configfs.c index 8166e771e8663..891d8e4023221 100644 --- a/drivers/usb/gadget/configfs.c +++ b/drivers/usb/gadget/configfs.c @@ -418,7 +418,7 @@ static int config_usb_cfg_link( struct usb_function_instance *fi = to_usb_function_instance(usb_func_ci); - struct usb_function_instance *a_fi; + struct usb_function_instance *a_fi = NULL, *iter; struct usb_function *f; int ret; @@ -428,11 +428,13 @@ static int config_usb_cfg_link( * from another gadget or a random directory. * Also a function instance can only be linked once. */ - list_for_each_entry(a_fi, &gi->available_func, cfs_list) { - if (a_fi == fi) - break; + list_for_each_entry(iter, &gi->available_func, cfs_list) { + if (iter != fi) + continue; + a_fi = iter; + break; } - if (a_fi != fi) { + if (!a_fi) { ret = -EINVAL; goto out; } @@ -889,15 +891,17 @@ static int os_desc_link(struct config_item *os_desc_ci, struct gadget_info, os_desc_group); struct usb_composite_dev *cdev = &gi->cdev; struct config_usb_cfg *c_target = to_config_usb_cfg(usb_cfg_ci); - struct usb_configuration *c; + struct usb_configuration *c = NULL, *iter; int ret; mutex_lock(&gi->lock); - list_for_each_entry(c, &cdev->configs, list) { - if (c == &c_target->c) - break; + list_for_each_entry(iter, &cdev->configs, list) { + if (iter != &c_target->c) + continue; + c = iter; + break; } - if (c != &c_target->c) { + if (!c) { ret = -EINVAL; goto out; } -- 2.39.2
