From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mail-qv1-f46.google.com (mail-qv1-f46.google.com [209.85.219.46])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id ED3653750A9
	for <linux-kernel@vger.kernel.org>; Fri,  8 May 2026 07:52:03 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.219.46
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1778226725; cv=none; b=W53MmXi5x/7h/VZZxFSD3T0diT+pHZw+B1Ci07e+R1PMkF67mdlbotZYZt476JKnNjKvwGo3HO46sk0Lwpr7KcdUYbVszsUn8cU0afjlE27oRZBXyon+ks+8OMlde4bvEhCMk6mMleQcupdzek+PXDQZ0iCF0hxt1DYCfnE+S/I=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1778226725; c=relaxed/simple;
	bh=+hGFEzL83JRjm/4SymQAvrLQcOvD7wmAyNC0O9gabE4=;
	h=Date:From:To:Cc:Subject:Message-ID:MIME-Version:Content-Type:
	 Content-Disposition; b=Jvw9wqYbSoD2KC7LwnPGtqKdzJVN3pMf/P14IPCkOPJFpyJtKqKiJFWRu6vHFz/T6MmHWFCpHfjix1bDK+l9nQrF3x757gEvLuCFpTTrb34usEJubuMjrufz0OVB7vtJ++iAh2B6aeuBB/8L5N3rVcM1g+2VgExgfO2n2SLaF1g=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=ZkFWzna8; arc=none smtp.client-ip=209.85.219.46
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="ZkFWzna8"
Received: by mail-qv1-f46.google.com with SMTP id 6a1803df08f44-8b1f2b7f1bcso19401566d6.1
        for <linux-kernel@vger.kernel.org>; Fri, 08 May 2026 00:52:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1778226723; x=1778831523; darn=vger.kernel.org;
        h=content-disposition:mime-version:message-id:subject:cc:to:from:date
         :from:to:cc:subject:date:message-id:reply-to;
        bh=aDoE2rE1SAE6iZmEWNqg67hZIZXJqKOJm3oC+rNyc8Q=;
        b=ZkFWzna8VD5A/DFCXeIVzbULEPAFh6KKNSV4/xsrkHWgXn8cxgwbVv1WTuogc3l38E
         IRVw7WmOtAJCF9Na8iQ5Bj+jO01SJjoJAlPoLZa6ZVDtbLqHk+oe7AluYQcM+O5K+rtA
         W4zEykc9+m+EiqqGgcKX4T6/Nm5qQQ+IZiu2XVY6GtN6v3dprbGy7t4UJ7jDQZlqus9R
         j6UsAuDHF3QZ4fYSksBHUYbTU0Q+C03xZKnRICCYaGXtisYWuXdYtiDcqpFw3ptf6N4u
         k6QuNKWhvy4gZdYSs+RYMOITh+ensIMRX7eRJ7vTPTBXM4xZAqoeUmw9dnCpzXvm2+QB
         O61w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1778226723; x=1778831523;
        h=content-disposition:mime-version:message-id:subject:cc:to:from:date
         :x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=aDoE2rE1SAE6iZmEWNqg67hZIZXJqKOJm3oC+rNyc8Q=;
        b=MQ/Cd07qPI+PlZ5u2CX9UlCmMmqgck9V3B3eJuu3Nrnw7sAkT5gjrRLi6JapQfG9oO
         CxcvJe4uLyElMYhZLyO63cULghqRwYuC6G6mwLQwO+8bZZUdRHcL7M01wL4YthPbNJpB
         jAB7AY7enAESHZV5UqKC6en4iK0tO1WHQHZE9ieCEmqSYF+aBiLG6nDZqjTcJleBz9jm
         7HOs1xuVWT0lQHPQ5Y9gzrVAXhLT+9vIfyfaS02mD+Dr2Vr2ONkrZdyUrd5sYwMfemRa
         JHn4G/wUT5vhd24egNlKghfxuhqA/tcmGS3os88ADozIwTv0cWu75RbCdnOwnVmze54T
         c67g==
X-Forwarded-Encrypted: i=1; AFNElJ/xaC/f/V8zlvqd8gib+IL3CoABvpok9HJseiTmYkcF0w6t41FpeA2zmLhhu7gi4feAqnYu9fZoTmfrtY0=@vger.kernel.org
X-Gm-Message-State: AOJu0YzBL345lnk/4aG770ZjBwz+0nTRsY4/w+oL1p1Z/y21kK20ve7u
	2nIDV332OjtNNe7ga3ky9v/LKimY2o6kBsSv2V2Vo28tPTnTec0iHV/p
X-Gm-Gg: Acq92OHca+uOEaLGFym3K9YHePlKt5+RKiTgZkgHjLXuePGos55ZbORZHRxHxd+PrPX
	Cx+WZsBM4FYvw3SqMJ/g7eQ2Zs/qwEuKHuHQoRkjYB7T8O6Tc0FzSSyZSpQLP9NxDCxLAfTKba1
	0UfDNzt/P5+nPDWN2yeXNNejO6zBbhv1ltJm6pp3rfk5Rw0LiMUc3lam1psiFb3gSAVnbdS5/EK
	1FjgHIhYclWBvvtNQG9wYO6N116GHZNJsIL4uUYraLmRNvvACkTactNGIu2iv+b9/qDGUk5xqYx
	K9eplyJ732zFglSBcydhynl21wFzBzKQzU03UvGjjZQKUhVhCx00CK4eFrzG1l9wX0BY4y+VK1C
	qC1Lp1A6whonGfoi11Aj0tYix4/26iw5voJ0lRxGN4i4P+tR+RHFCLxGax2NPsNVYw2rUcI4C/b
	6qcH0g1E358nERCsuw+HhNNPMmfe2J
X-Received: by 2002:ad4:5aa5:0:b0:8ac:a266:ce34 with SMTP id 6a1803df08f44-8bdb6ec5e9dmr92649186d6.3.1778226722878;
        Fri, 08 May 2026 00:52:02 -0700 (PDT)
Received: from localhost ([185.141.119.51])
        by smtp.gmail.com with ESMTPSA id 6a1803df08f44-8bf3addb413sm11845026d6.9.2026.05.08.00.52.01
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 08 May 2026 00:52:02 -0700 (PDT)
Date: Fri, 8 May 2026 10:51:56 +0300
From: Dan Carpenter <error27@gmail.com>
To: Alexandre Bounine <alexandre.bounine@idt.com>
Cc: Matt Porter <mporter@kernel.crashing.org>,
	Alexandre Bounine <alex.bou9@gmail.com>,
	Chul Kim <chul.kim@idt.com>,
	Andrew Morton <akpm@linux-foundation.org>,
	linux-kernel@vger.kernel.org, kernel-janitors@vger.kernel.org
Subject: [PATCH] rapidio/tsi721: Prevent a bad dereference in tsi721_db_dpc()
Message-ID: <af2WHMZiqMwdYveO@stanley.mountain>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
X-Mailer: git-send-email haha only kidding

With a list_for_each() loop, if we don't find the item we are looking
for in the list, then the loop exits with the iterator, which is "dbell"
in this loop, pointing to invalid memory.

This code uses the "found" variable to determine if we have found the
doorbell we are looking for or not.  However, the problem that the
"found" variable needs to be set to false at the start of each iteration,
otherwise after the first correct doorbell, then everything is marked as
found.

Reset the "found" to false at the start of the iteration and move the
variable inside the loop.

Fixes: 48618fb4e522 ("RapidIO: add mport driver for Tsi721 bridge")
Signed-off-by: Dan Carpenter <error27@gmail.com>
---
 drivers/rapidio/devices/tsi721.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/rapidio/devices/tsi721.c b/drivers/rapidio/devices/tsi721.c
index 66331e67cf4e..71b87bf8c31d 100644
--- a/drivers/rapidio/devices/tsi721.c
+++ b/drivers/rapidio/devices/tsi721.c
@@ -394,7 +394,6 @@ static void tsi721_db_dpc(struct work_struct *work)
 						    idb_work);
 	struct rio_mport *mport;
 	struct rio_dbell *dbell;
-	int found = 0;
 	u32 wr_ptr, rd_ptr;
 	u64 *idb_entry;
 	u32 regval;
@@ -412,6 +411,8 @@ static void tsi721_db_dpc(struct work_struct *work)
 	rd_ptr = ioread32(priv->regs + TSI721_IDQ_RP(IDB_QUEUE)) % IDB_QSIZE;
 
 	while (wr_ptr != rd_ptr) {
+		int found = 0;
+
 		idb_entry = (u64 *)(priv->idb_base +
 					(TSI721_IDB_ENTRY_SIZE * rd_ptr));
 		rd_ptr++;
-- 
2.53.0