[PATCH v2] scsi: hisi_sas: Fix NULL pointer dereference

All of lore.kernel.org
 help / color / mirror / Atom feed

* [PATCH v2] scsi: hisi_sas: Fix NULL pointer dereference
@ 2018-10-18 16:59 Gustavo A. R. Silva
  2018-10-19  0:54   ` chenxiang (M)
  2018-10-19 22:28 ` Martin K. Petersen
  0 siblings, 2 replies; 5+ messages in thread
From: Gustavo A. R. Silva @ 2018-10-18 16:59 UTC (permalink / raw)
  To: John Garry, James E.J. Bottomley, Martin K. Petersen, Xiang Chen
  Cc: linux-scsi, linux-kernel, Gustavo A. R. Silva

There is a NULL pointer dereference in case *slot* happens to
be NULL at lines 1053 and 1878:

struct hisi_sas_cq *cq =
	&hisi_hba->cq[slot->dlvry_queue];

Notice that *slot* is being NULL checked at lines 1057 and 1881:
if (slot), which implies it may be NULL.

Fix this by placing the declaration and definition of variable cq,
which contains the pointer dereference slot->dlvry_queue, after
slot has been properly NULL checked.

Addresses-Coverity-ID: 1474515 ("Dereference before null check")
Addresses-Coverity-ID: 1474520 ("Dereference before null check")
Fixes: 584f53fe5f52 ("scsi: hisi_sas: Fix the race between IO completion and timeout for SMP/internal IO")
Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
---
Changes in v2:
 - Fix another instance of the same issue at line 1053.
 - Update commit log.

 drivers/scsi/hisi_sas/hisi_sas_main.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/drivers/scsi/hisi_sas/hisi_sas_main.c b/drivers/scsi/hisi_sas/hisi_sas_main.c
index 2e5eaf1..b3f01d5 100644
--- a/drivers/scsi/hisi_sas/hisi_sas_main.c
+++ b/drivers/scsi/hisi_sas/hisi_sas_main.c
@@ -1050,11 +1050,11 @@ static int hisi_sas_exec_internal_tmf_task(struct domain_device *device,
 		if ((task->task_state_flags & SAS_TASK_STATE_ABORTED)) {
 			if (!(task->task_state_flags & SAS_TASK_STATE_DONE)) {
 				struct hisi_sas_slot *slot = task->lldd_task;
-				struct hisi_sas_cq *cq =
-					&hisi_hba->cq[slot->dlvry_queue];
 
 				dev_err(dev, "abort tmf: TMF task timeout and not done\n");
 				if (slot) {
+					struct hisi_sas_cq *cq =
+					       &hisi_hba->cq[slot->dlvry_queue];
 					/*
 					 * flush tasklet to avoid free'ing task
 					 * before using task in IO completion
@@ -1875,10 +1875,10 @@ hisi_sas_internal_task_abort(struct hisi_hba *hisi_hba,
 	if ((task->task_state_flags & SAS_TASK_STATE_ABORTED)) {
 		if (!(task->task_state_flags & SAS_TASK_STATE_DONE)) {
 			struct hisi_sas_slot *slot = task->lldd_task;
-			struct hisi_sas_cq *cq =
-				&hisi_hba->cq[slot->dlvry_queue];
 
 			if (slot) {
+				struct hisi_sas_cq *cq =
+					&hisi_hba->cq[slot->dlvry_queue];
 				/*
 				 * flush tasklet to avoid free'ing task
 				 * before using task in IO completion
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: [PATCH v2] scsi: hisi_sas: Fix NULL pointer dereference
  2018-10-18 16:59 [PATCH v2] scsi: hisi_sas: Fix NULL pointer dereference Gustavo A. R. Silva
@ 2018-10-19  0:54   ` chenxiang (M)
  2018-10-19 22:28 ` Martin K. Petersen
  1 sibling, 0 replies; 5+ messages in thread
From: chenxiang (M) @ 2018-10-19  0:54 UTC (permalink / raw)
  To: Gustavo A. R. Silva, John Garry, James E.J. Bottomley,
	Martin K. Petersen
  Cc: linux-scsi, linux-kernel

在 2018/10/19 0:59, Gustavo A. R. Silva 写道:
> There is a NULL pointer dereference in case *slot* happens to
> be NULL at lines 1053 and 1878:
>
> struct hisi_sas_cq *cq =
> 	&hisi_hba->cq[slot->dlvry_queue];
>
> Notice that *slot* is being NULL checked at lines 1057 and 1881:
> if (slot), which implies it may be NULL.
>
> Fix this by placing the declaration and definition of variable cq,
> which contains the pointer dereference slot->dlvry_queue, after
> slot has been properly NULL checked.
>
> Addresses-Coverity-ID: 1474515 ("Dereference before null check")
> Addresses-Coverity-ID: 1474520 ("Dereference before null check")
> Fixes: 584f53fe5f52 ("scsi: hisi_sas: Fix the race between IO completion and timeout for SMP/internal IO")
> Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>

Reviewed-by: Xiang Chen <chenxiang66@hisilicon.com>
Thanks!

> ---
> Changes in v2:
>   - Fix another instance of the same issue at line 1053.
>   - Update commit log.
>
>   drivers/scsi/hisi_sas/hisi_sas_main.c | 8 ++++----
>   1 file changed, 4 insertions(+), 4 deletions(-)
>
> diff --git a/drivers/scsi/hisi_sas/hisi_sas_main.c b/drivers/scsi/hisi_sas/hisi_sas_main.c
> index 2e5eaf1..b3f01d5 100644
> --- a/drivers/scsi/hisi_sas/hisi_sas_main.c
> +++ b/drivers/scsi/hisi_sas/hisi_sas_main.c
> @@ -1050,11 +1050,11 @@ static int hisi_sas_exec_internal_tmf_task(struct domain_device *device,
>   		if ((task->task_state_flags & SAS_TASK_STATE_ABORTED)) {
>   			if (!(task->task_state_flags & SAS_TASK_STATE_DONE)) {
>   				struct hisi_sas_slot *slot = task->lldd_task;
> -				struct hisi_sas_cq *cq =
> -					&hisi_hba->cq[slot->dlvry_queue];
>   
>   				dev_err(dev, "abort tmf: TMF task timeout and not done\n");
>   				if (slot) {
> +					struct hisi_sas_cq *cq =
> +					       &hisi_hba->cq[slot->dlvry_queue];
>   					/*
>   					 * flush tasklet to avoid free'ing task
>   					 * before using task in IO completion
> @@ -1875,10 +1875,10 @@ hisi_sas_internal_task_abort(struct hisi_hba *hisi_hba,
>   	if ((task->task_state_flags & SAS_TASK_STATE_ABORTED)) {
>   		if (!(task->task_state_flags & SAS_TASK_STATE_DONE)) {
>   			struct hisi_sas_slot *slot = task->lldd_task;
> -			struct hisi_sas_cq *cq =
> -				&hisi_hba->cq[slot->dlvry_queue];
>   
>   			if (slot) {
> +				struct hisi_sas_cq *cq =
> +					&hisi_hba->cq[slot->dlvry_queue];
>   				/*
>   				 * flush tasklet to avoid free'ing task
>   				 * before using task in IO completion

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH v2] scsi: hisi_sas: Fix NULL pointer dereference
@ 2018-10-19  0:54   ` chenxiang (M)
  0 siblings, 0 replies; 5+ messages in thread
From: chenxiang (M) @ 2018-10-19  0:54 UTC (permalink / raw)
  To: Gustavo A. R. Silva, John Garry, James E.J. Bottomley,
	Martin K. Petersen
  Cc: linux-scsi, linux-kernel

在 2018/10/19 0:59, Gustavo A. R. Silva 写道:
> There is a NULL pointer dereference in case *slot* happens to
> be NULL at lines 1053 and 1878:
>
> struct hisi_sas_cq *cq =
> 	&hisi_hba->cq[slot->dlvry_queue];
>
> Notice that *slot* is being NULL checked at lines 1057 and 1881:
> if (slot), which implies it may be NULL.
>
> Fix this by placing the declaration and definition of variable cq,
> which contains the pointer dereference slot->dlvry_queue, after
> slot has been properly NULL checked.
>
> Addresses-Coverity-ID: 1474515 ("Dereference before null check")
> Addresses-Coverity-ID: 1474520 ("Dereference before null check")
> Fixes: 584f53fe5f52 ("scsi: hisi_sas: Fix the race between IO completion and timeout for SMP/internal IO")
> Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>

Reviewed-by: Xiang Chen <chenxiang66@hisilicon.com>
Thanks!

> ---
> Changes in v2:
>   - Fix another instance of the same issue at line 1053.
>   - Update commit log.
>
>   drivers/scsi/hisi_sas/hisi_sas_main.c | 8 ++++----
>   1 file changed, 4 insertions(+), 4 deletions(-)
>
> diff --git a/drivers/scsi/hisi_sas/hisi_sas_main.c b/drivers/scsi/hisi_sas/hisi_sas_main.c
> index 2e5eaf1..b3f01d5 100644
> --- a/drivers/scsi/hisi_sas/hisi_sas_main.c
> +++ b/drivers/scsi/hisi_sas/hisi_sas_main.c
> @@ -1050,11 +1050,11 @@ static int hisi_sas_exec_internal_tmf_task(struct domain_device *device,
>   		if ((task->task_state_flags & SAS_TASK_STATE_ABORTED)) {
>   			if (!(task->task_state_flags & SAS_TASK_STATE_DONE)) {
>   				struct hisi_sas_slot *slot = task->lldd_task;
> -				struct hisi_sas_cq *cq =
> -					&hisi_hba->cq[slot->dlvry_queue];
>   
>   				dev_err(dev, "abort tmf: TMF task timeout and not done\n");
>   				if (slot) {
> +					struct hisi_sas_cq *cq =
> +					       &hisi_hba->cq[slot->dlvry_queue];
>   					/*
>   					 * flush tasklet to avoid free'ing task
>   					 * before using task in IO completion
> @@ -1875,10 +1875,10 @@ hisi_sas_internal_task_abort(struct hisi_hba *hisi_hba,
>   	if ((task->task_state_flags & SAS_TASK_STATE_ABORTED)) {
>   		if (!(task->task_state_flags & SAS_TASK_STATE_DONE)) {
>   			struct hisi_sas_slot *slot = task->lldd_task;
> -			struct hisi_sas_cq *cq =
> -				&hisi_hba->cq[slot->dlvry_queue];
>   
>   			if (slot) {
> +				struct hisi_sas_cq *cq =
> +					&hisi_hba->cq[slot->dlvry_queue];
>   				/*
>   				 * flush tasklet to avoid free'ing task
>   				 * before using task in IO completion



^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH v2] scsi: hisi_sas: Fix NULL pointer dereference
  2018-10-18 16:59 [PATCH v2] scsi: hisi_sas: Fix NULL pointer dereference Gustavo A. R. Silva
  2018-10-19  0:54   ` chenxiang (M)
@ 2018-10-19 22:28 ` Martin K. Petersen
  2018-10-20  6:34   ` Gustavo A. R. Silva
  1 sibling, 1 reply; 5+ messages in thread
From: Martin K. Petersen @ 2018-10-19 22:28 UTC (permalink / raw)
  To: Gustavo A. R. Silva
  Cc: John Garry, James E.J. Bottomley, Martin K. Petersen, Xiang Chen,
	linux-scsi, linux-kernel


Gustavo,

> There is a NULL pointer dereference in case *slot* happens to
> be NULL at lines 1053 and 1878:
>
> struct hisi_sas_cq *cq =
> 	&hisi_hba->cq[slot->dlvry_queue];
>
> Notice that *slot* is being NULL checked at lines 1057 and 1881:
> if (slot), which implies it may be NULL.
>
> Fix this by placing the declaration and definition of variable cq,
> which contains the pointer dereference slot->dlvry_queue, after
> slot has been properly NULL checked.

Applied to 4.20/scsi-queue, thanks!

-- 
Martin K. Petersen	Oracle Linux Engineering

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH v2] scsi: hisi_sas: Fix NULL pointer dereference
  2018-10-19 22:28 ` Martin K. Petersen
@ 2018-10-20  6:34   ` Gustavo A. R. Silva
  0 siblings, 0 replies; 5+ messages in thread
From: Gustavo A. R. Silva @ 2018-10-20  6:34 UTC (permalink / raw)
  To: Martin K. Petersen
  Cc: John Garry, James E.J. Bottomley, Xiang Chen, linux-scsi,
	linux-kernel



On 10/20/18 12:28 AM, Martin K. Petersen wrote:
> 
> Gustavo,
> 
>> There is a NULL pointer dereference in case *slot* happens to
>> be NULL at lines 1053 and 1878:
>>
>> struct hisi_sas_cq *cq =
>> 	&hisi_hba->cq[slot->dlvry_queue];
>>
>> Notice that *slot* is being NULL checked at lines 1057 and 1881:
>> if (slot), which implies it may be NULL.
>>
>> Fix this by placing the declaration and definition of variable cq,
>> which contains the pointer dereference slot->dlvry_queue, after
>> slot has been properly NULL checked.
> 
> Applied to 4.20/scsi-queue, thanks!
> 

Glad to help. :)

Thanks
--
Gustavo

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2018-10-20  6:34 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2018-10-18 16:59 [PATCH v2] scsi: hisi_sas: Fix NULL pointer dereference Gustavo A. R. Silva
2018-10-19  0:54 ` chenxiang (M)
2018-10-19  0:54   ` chenxiang (M)
2018-10-19 22:28 ` Martin K. Petersen
2018-10-20  6:34   ` Gustavo A. R. Silva

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.