[PATCH] scsi: hisi_sas: Fix NULL pointer dereference

[PATCH] scsi: hisi_sas: Fix NULL pointer dereference

[Gustavo A. R. Silva]

There is a NULL pointer dereference in case *slot* happens to
be NULL at line 1878:

struct hisi_sas_cq *cq =
	&hisi_hba->cq[slot->dlvry_queue];

Notice that *slot* is being NULL checked at line 1881: if (slot),
which implies it may be NULL.

Fix this by placing the declaration and definition of variable cq,
which contains the pointer dereference slot->dlvry_queue, after
*slot* has been properly NULL checked.

Addresses-Coverity-ID: 1474515 ("Dereference before null check")
Fixes: 584f53fe5f52 ("scsi: hisi_sas: Fix the race between IO completion and timeout for SMP/internal IO")
Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
---
 drivers/scsi/hisi_sas/hisi_sas_main.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/scsi/hisi_sas/hisi_sas_main.c b/drivers/scsi/hisi_sas/hisi_sas_main.c
index 2e5eaf1..e3f7c7b 100644
--- a/drivers/scsi/hisi_sas/hisi_sas_main.c
+++ b/drivers/scsi/hisi_sas/hisi_sas_main.c
@@ -1875,10 +1875,10 @@ hisi_sas_internal_task_abort(struct hisi_hba *hisi_hba,
 	if ((task->task_state_flags & SAS_TASK_STATE_ABORTED)) {
 		if (!(task->task_state_flags & SAS_TASK_STATE_DONE)) {
 			struct hisi_sas_slot *slot = task->lldd_task;
-			struct hisi_sas_cq *cq =
-				&hisi_hba->cq[slot->dlvry_queue];
 
 			if (slot) {
+				struct hisi_sas_cq *cq =
+					&hisi_hba->cq[slot->dlvry_queue];
 				/*
 				 * flush tasklet to avoid free'ing task
 				 * before using task in IO completion
-- 
2.7.4

Re: [PATCH] scsi: hisi_sas: Fix NULL pointer dereference

[Gustavo A. R. Silva]

Hi,

I just found another instance of this same issue at line 1053.

Please, drop this patch and I'll send v2 addressing both instances, shortly.

Thanks
--
Gustavo

On 10/18/18 6:41 PM, Gustavo A. R. Silva wrote:
> There is a NULL pointer dereference in case *slot* happens to
> be NULL at line 1878:
> 
> struct hisi_sas_cq *cq =
> 	&hisi_hba->cq[slot->dlvry_queue];
> 
> Notice that *slot* is being NULL checked at line 1881: if (slot),
> which implies it may be NULL.
> 
> Fix this by placing the declaration and definition of variable cq,
> which contains the pointer dereference slot->dlvry_queue, after
> *slot* has been properly NULL checked.
> 
> Addresses-Coverity-ID: 1474515 ("Dereference before null check")
> Fixes: 584f53fe5f52 ("scsi: hisi_sas: Fix the race between IO completion and timeout for SMP/internal IO")
> Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
> ---
>  drivers/scsi/hisi_sas/hisi_sas_main.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/scsi/hisi_sas/hisi_sas_main.c b/drivers/scsi/hisi_sas/hisi_sas_main.c
> index 2e5eaf1..e3f7c7b 100644
> --- a/drivers/scsi/hisi_sas/hisi_sas_main.c
> +++ b/drivers/scsi/hisi_sas/hisi_sas_main.c
> @@ -1875,10 +1875,10 @@ hisi_sas_internal_task_abort(struct hisi_hba *hisi_hba,
>  	if ((task->task_state_flags & SAS_TASK_STATE_ABORTED)) {
>  		if (!(task->task_state_flags & SAS_TASK_STATE_DONE)) {
>  			struct hisi_sas_slot *slot = task->lldd_task;
> -			struct hisi_sas_cq *cq =
> -				&hisi_hba->cq[slot->dlvry_queue];
>  
>  			if (slot) {
> +				struct hisi_sas_cq *cq =
> +					&hisi_hba->cq[slot->dlvry_queue];
>  				/*
>  				 * flush tasklet to avoid free'ing task
>  				 * before using task in IO completion
>