[PATCH] scsi_lib: add NULL check to scsi_setup_blk_pc_cmnd

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "Jörn Engel" <joern@logfs.org>
To: James Bottomley <jbottomley@parallels.com>
Cc: linux-scsi@vger.kernel.org
Subject: [PATCH] scsi_lib: add NULL check to scsi_setup_blk_pc_cmnd
Date: Mon, 23 Jul 2012 13:32:20 -0400	[thread overview]
Message-ID: <20120723173220.GA17767@logfs.org> (raw)

At least two slightly different paths can lead to a NULL pointer
dereference in scsi_prep_state_check and have been hit in practice.
1.
Call Trace:
 [<ffffffff812f8c4b>] scsi_setup_blk_pc_cmnd+0x2b/0x170
 [<ffffffff81305108>] sd_prep_fn+0x568/0xdd0
 [<ffffffff8121c594>] blk_peek_request+0xb4/0x240
 [<ffffffff812f94fe>] scsi_request_fn+0x43e/0x4a0
 [<ffffffff8121621b>] __blk_run_queue+0x1b/0x20
 [<ffffffff81220638>] blk_execute_rq_nowait+0x68/0xc0
 [<ffffffff812206fd>] blk_execute_rq+0x6d/0x100
 [<ffffffff812f8f8c>] scsi_execute+0xfc/0x160
 [<ffffffff812f975a>] scsi_execute_req+0xca/0x140
 [<ffffffff81305a4e>] sd_revalidate_disk+0xde/0x1a00
 [<ffffffff8130749b>] sd_probe_async+0x12b/0x1d0
 ...
2.
Call Trace:
 [<ffffffff8130078b>] scsi_setup_blk_pc_cmnd+0x2b/0x170
 [<ffffffff8130091d>] scsi_prep_fn+0x4d/0x60
 [<ffffffff81227794>] blk_peek_request+0xb4/0x240
 [<ffffffff813010cd>] scsi_request_fn+0x47d/0x4b0
 [<ffffffff81223bff>] __blk_run_queue+0x1f/0x80
 [<ffffffff8122b808>] blk_execute_rq_nowait+0x68/0xc0
 ...

This patch should fix both cases.

Signed-off-by: Joern Engel <joern@logfs.org>
---
 drivers/scsi/scsi_lib.c |    5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c
index bb216ff..5fb5a1c 100644
--- a/drivers/scsi/scsi_lib.c
+++ b/drivers/scsi/scsi_lib.c
@@ -1079,8 +1079,11 @@ static struct scsi_cmnd *scsi_get_cmd_from_req(struct scsi_device *sdev,
 int scsi_setup_blk_pc_cmnd(struct scsi_device *sdev, struct request *req)
 {
 	struct scsi_cmnd *cmd;
-	int ret = scsi_prep_state_check(sdev, req);
+	int ret;

+	if (!sdev)
+		return BLKPREP_KILL;
+	ret = scsi_prep_state_check(sdev, req);
 	if (ret != BLKPREP_OK)
 		return ret;

-- 
1.7.10.4

next             reply	other threads:[~2012-07-23 19:09 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-07-23 17:32 Jörn Engel [this message]
2012-07-23 19:45 ` [PATCH] scsi_lib: add NULL check to scsi_setup_blk_pc_cmnd James Bottomley
2012-07-23 19:24   ` Jörn Engel
2012-07-24  5:01     ` James Bottomley
2012-07-25 19:13       ` Jörn Engel

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:bb216ff dfblob:5fb5a1c )
 OR (
bs:"[PATCH] scsi_lib: add NULL check to scsi_setup_blk_pc_cmnd" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20120723173220.GA17767@logfs.org \
    --to=joern@logfs.org \
    --cc=jbottomley@parallels.com \
    --cc=linux-scsi@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.