firmware: stratix10-svc: fix a missing check on list iterator

The bug is here:
	pmem->vaddr = NULL;

The list iterator 'pmem' will point to a bogus position containing
HEAD if the list is empty or no element is found. This case must
be checked before any use of the iterator, otherwise it will
lead to a invalid memory access.

To fix this bug, just gen_pool_free/set NULL/list_del() and return
when found, otherwise list_del HEAD and return;

Fixes: 7ca5ce896524f ("firmware: add Intel Stratix10 service layer driver")
Signed-off-by: Xiaomeng Tong <xiam0nd.tong@gmail.com>
Link: https://lore.kernel.org/r/20220414035609.2239-1-xiam0nd.tong@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/firmware/stratix10-svc.c b/drivers/firmware/stratix10-svc.c
index 8177a0fae11d8a4ba0ffafe9c3be0cd665b962d9..14663f67132354e7097ceb494ec39b804d8ce36c 100644 (file)
--- a/drivers/firmware/stratix10-svc.c
+++ b/drivers/firmware/stratix10-svc.c
@@ -948,17 +948,17 @@ EXPORT_SYMBOL_GPL(stratix10_svc_allocate_memory);
 void stratix10_svc_free_memory(struct stratix10_svc_chan *chan, void *kaddr)
 {
        struct stratix10_svc_data_mem *pmem;
-       size_t size = 0;
 
        list_for_each_entry(pmem, &svc_data_mem, node)
                if (pmem->vaddr == kaddr) {
-                       size = pmem->size;
-                       break;
+                       gen_pool_free(chan->ctrl->genpool,
+                                      (unsigned long)kaddr, pmem->size);
+                       pmem->vaddr = NULL;
+                       list_del(&pmem->node);
+                       return;
                }
 
-       gen_pool_free(chan->ctrl->genpool, (unsigned long)kaddr, size);
-       pmem->vaddr = NULL;
-       list_del(&pmem->node);
+       list_del(&svc_data_mem);
 }
 EXPORT_SYMBOL_GPL(stratix10_svc_free_memory);