[PATCH 1/6] lpfc: fix: Coverity: lpfc_get_scsi_buf

public inbox for linux-next@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH 1/6] lpfc: fix: Coverity: lpfc_get_scsi_buf_s3(): Null pointer dereferences
       [not found] <20191111230401.12958-1-jsmart2021@gmail.com>
@ 2019-11-11 23:03 ` James Smart
  2019-11-12 18:30   ` Ewan D. Milne
  2019-11-11 23:03 ` [PATCH 2/6] lpfc: fix: Coverity: lpfc_cmpl_els_rsp(): " James Smart
  1 sibling, 1 reply; 4+ messages in thread
From: James Smart @ 2019-11-11 23:03 UTC (permalink / raw)
  To: linux-scsi
  Cc: James Smart, Dick Kennedy, Martin K. Petersen,
	Gustavo A. R. Silva, linux-next

Coverity reported the following:

*** CID 1487391:  Null pointer dereferences  (FORWARD_NULL)
/drivers/scsi/lpfc/lpfc_scsi.c: 614 in lpfc_get_scsi_buf_s3()
608     		spin_unlock(&phba->scsi_buf_list_put_lock);
609     	}
610     	spin_unlock_irqrestore(&phba->scsi_buf_list_get_lock, iflag);
611
612     	if (lpfc_ndlp_check_qdepth(phba, ndlp)) {
613     		atomic_inc(&ndlp->cmd_pending);
vvv     CID 1487391:  Null pointer dereferences  (FORWARD_NULL)
vvv     Dereferencing null pointer "lpfc_cmd".
614     		lpfc_cmd->flags |= LPFC_SBUF_BUMP_QDEPTH;
615     	}
616     	return  lpfc_cmd;
617     }
618     /**
619      * lpfc_get_scsi_buf_s4 - Get a scsi buffer from io_buf_list of the HBA

Fix by checking lpfc_cmd to be non-NULL as part of line 612

Reported-by: coverity-bot <keescook+coverity-bot@chromium.org>
Addresses-Coverity-ID: 1487391 ("Null pointer dereferences")
Fixes: 2a5b7d626ed2 ("scsi: lpfc: Limit tracking of tgt queue depth in fast path")

Signed-off-by: Dick Kennedy <dick.kennedy@broadcom.com>
Signed-off-by: James Smart <jsmart2021@gmail.com>
CC: "Martin K. Petersen" <martin.petersen@oracle.com>
CC: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
CC: linux-next@vger.kernel.org
---
 drivers/scsi/lpfc/lpfc_scsi.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/scsi/lpfc/lpfc_scsi.c b/drivers/scsi/lpfc/lpfc_scsi.c
index 959ef471d758..ba26df90a36a 100644
--- a/drivers/scsi/lpfc/lpfc_scsi.c
+++ b/drivers/scsi/lpfc/lpfc_scsi.c
@@ -611,7 +611,7 @@ lpfc_get_scsi_buf_s3(struct lpfc_hba *phba, struct lpfc_nodelist *ndlp,
 	}
 	spin_unlock_irqrestore(&phba->scsi_buf_list_get_lock, iflag);
 
-	if (lpfc_ndlp_check_qdepth(phba, ndlp)) {
+	if (lpfc_ndlp_check_qdepth(phba, ndlp) && lpfc_cmd) {
 		atomic_inc(&ndlp->cmd_pending);
 		lpfc_cmd->flags |= LPFC_SBUF_BUMP_QDEPTH;
 	}
-- 
2.13.7


^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH 1/6] lpfc: fix: Coverity: lpfc_get_scsi_buf_s3(): Null pointer dereferences
  2019-11-11 23:03 ` [PATCH 1/6] lpfc: fix: Coverity: lpfc_get_scsi_buf_s3(): Null pointer dereferences James Smart
@ 2019-11-12 18:30   ` Ewan D. Milne
  0 siblings, 0 replies; 4+ messages in thread
From: Ewan D. Milne @ 2019-11-12 18:30 UTC (permalink / raw)
  To: James Smart, linux-scsi
  Cc: Dick Kennedy, Martin K. Petersen, Gustavo A. R. Silva, linux-next

On Mon, 2019-11-11 at 15:03 -0800, James Smart wrote:
> Coverity reported the following:
> 
> *** CID 1487391:  Null pointer dereferences  (FORWARD_NULL)
> /drivers/scsi/lpfc/lpfc_scsi.c: 614 in lpfc_get_scsi_buf_s3()
> 608     		spin_unlock(&phba->scsi_buf_list_put_lock);
> 609     	}
> 610     	spin_unlock_irqrestore(&phba->scsi_buf_list_get_lock, iflag);
> 611
> 612     	if (lpfc_ndlp_check_qdepth(phba, ndlp)) {
> 613     		atomic_inc(&ndlp->cmd_pending);
> vvv     CID 1487391:  Null pointer dereferences  (FORWARD_NULL)
> vvv     Dereferencing null pointer "lpfc_cmd".
> 614     		lpfc_cmd->flags |= LPFC_SBUF_BUMP_QDEPTH;
> 615     	}
> 616     	return  lpfc_cmd;
> 617     }
> 618     /**
> 619      * lpfc_get_scsi_buf_s4 - Get a scsi buffer from io_buf_list of the HBA
> 
> Fix by checking lpfc_cmd to be non-NULL as part of line 612
> 
> Reported-by: coverity-bot <keescook+coverity-bot@chromium.org>
> Addresses-Coverity-ID: 1487391 ("Null pointer dereferences")
> Fixes: 2a5b7d626ed2 ("scsi: lpfc: Limit tracking of tgt queue depth in fast path")
> 
> Signed-off-by: Dick Kennedy <dick.kennedy@broadcom.com>
> Signed-off-by: James Smart <jsmart2021@gmail.com>
> CC: "Martin K. Petersen" <martin.petersen@oracle.com>
> CC: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
> CC: linux-next@vger.kernel.org
> ---
>  drivers/scsi/lpfc/lpfc_scsi.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/scsi/lpfc/lpfc_scsi.c b/drivers/scsi/lpfc/lpfc_scsi.c
> index 959ef471d758..ba26df90a36a 100644
> --- a/drivers/scsi/lpfc/lpfc_scsi.c
> +++ b/drivers/scsi/lpfc/lpfc_scsi.c
> @@ -611,7 +611,7 @@ lpfc_get_scsi_buf_s3(struct lpfc_hba *phba, struct lpfc_nodelist *ndlp,
>  	}
>  	spin_unlock_irqrestore(&phba->scsi_buf_list_get_lock, iflag);
>  
> -	if (lpfc_ndlp_check_qdepth(phba, ndlp)) {
> +	if (lpfc_ndlp_check_qdepth(phba, ndlp) && lpfc_cmd) {
>  		atomic_inc(&ndlp->cmd_pending);
>  		lpfc_cmd->flags |= LPFC_SBUF_BUMP_QDEPTH;
>  	}

Reviewed-by: Ewan D. Milne <emilne@redhat.com>


^ permalink raw reply	[flat|nested] 4+ messages in thread

* [PATCH 2/6] lpfc: fix: Coverity: lpfc_cmpl_els_rsp(): Null pointer dereferences
       [not found] <20191111230401.12958-1-jsmart2021@gmail.com>
  2019-11-11 23:03 ` [PATCH 1/6] lpfc: fix: Coverity: lpfc_get_scsi_buf_s3(): Null pointer dereferences James Smart
@ 2019-11-11 23:03 ` James Smart
  2019-11-12 18:30   ` Ewan D. Milne
  1 sibling, 1 reply; 4+ messages in thread
From: James Smart @ 2019-11-11 23:03 UTC (permalink / raw)
  To: linux-scsi
  Cc: James Smart, Dick Kennedy, James Bottomley, Gustavo A. R. Silva,
	linux-next

Coverity reported the following:

*** CID 101747:  Null pointer dereferences  (FORWARD_NULL)
/drivers/scsi/lpfc/lpfc_els.c: 4439 in lpfc_cmpl_els_rsp()
4433     			kfree(mp);
4434     		}
4435     		mempool_free(mbox, phba->mbox_mem_pool);
4436     	}
4437     out:
4438     	if (ndlp && NLP_CHK_NODE_ACT(ndlp)) {
vvv     CID 101747:  Null pointer dereferences  (FORWARD_NULL)
vvv     Dereferencing null pointer "shost".
4439     		spin_lock_irq(shost->host_lock);
4440     		ndlp->nlp_flag &= ~(NLP_ACC_REGLOGIN | NLP_RM_DFLT_RPI);
4441     		spin_unlock_irq(shost->host_lock);
4442
4443     		/* If the node is not being used by another discovery thread,
4444     		 * and we are sending a reject, we are done with it.

Fix by adding a check for non-null shost in line 4438.
The scenario when shost is set to null is when ndlp is null.
As such, the ndlp check present was sufficient. But better safe
than sorry so add the shost check.

Reported-by: coverity-bot <keescook+coverity-bot@chromium.org>
Addresses-Coverity-ID: 101747 ("Null pointer dereferences")
Fixes: 2e0fef85e098 ("[SCSI] lpfc: NPIV: split ports")

Signed-off-by: Dick Kennedy <dick.kennedy@broadcom.com>
Signed-off-by: James Smart <jsmart2021@gmail.com>
CC: James Bottomley <James.Bottomley@SteelEye.com>
CC: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
CC: linux-next@vger.kernel.org
---
 drivers/scsi/lpfc/lpfc_els.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/scsi/lpfc/lpfc_els.c b/drivers/scsi/lpfc/lpfc_els.c
index 9a570c15b2a1..42a2bf38eaea 100644
--- a/drivers/scsi/lpfc/lpfc_els.c
+++ b/drivers/scsi/lpfc/lpfc_els.c
@@ -4445,7 +4445,7 @@ lpfc_cmpl_els_rsp(struct lpfc_hba *phba, struct lpfc_iocbq *cmdiocb,
 		mempool_free(mbox, phba->mbox_mem_pool);
 	}
 out:
-	if (ndlp && NLP_CHK_NODE_ACT(ndlp)) {
+	if (ndlp && NLP_CHK_NODE_ACT(ndlp) && shost) {
 		spin_lock_irq(shost->host_lock);
 		ndlp->nlp_flag &= ~(NLP_ACC_REGLOGIN | NLP_RM_DFLT_RPI);
 		spin_unlock_irq(shost->host_lock);
-- 
2.13.7


^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH 2/6] lpfc: fix: Coverity: lpfc_cmpl_els_rsp(): Null pointer dereferences
  2019-11-11 23:03 ` [PATCH 2/6] lpfc: fix: Coverity: lpfc_cmpl_els_rsp(): " James Smart
@ 2019-11-12 18:30   ` Ewan D. Milne
  0 siblings, 0 replies; 4+ messages in thread
From: Ewan D. Milne @ 2019-11-12 18:30 UTC (permalink / raw)
  To: James Smart, linux-scsi
  Cc: Dick Kennedy, James Bottomley, Gustavo A. R. Silva, linux-next

On Mon, 2019-11-11 at 15:03 -0800, James Smart wrote:
> Coverity reported the following:
> 
> *** CID 101747:  Null pointer dereferences  (FORWARD_NULL)
> /drivers/scsi/lpfc/lpfc_els.c: 4439 in lpfc_cmpl_els_rsp()
> 4433     			kfree(mp);
> 4434     		}
> 4435     		mempool_free(mbox, phba->mbox_mem_pool);
> 4436     	}
> 4437     out:
> 4438     	if (ndlp && NLP_CHK_NODE_ACT(ndlp)) {
> vvv     CID 101747:  Null pointer dereferences  (FORWARD_NULL)
> vvv     Dereferencing null pointer "shost".
> 4439     		spin_lock_irq(shost->host_lock);
> 4440     		ndlp->nlp_flag &= ~(NLP_ACC_REGLOGIN | NLP_RM_DFLT_RPI);
> 4441     		spin_unlock_irq(shost->host_lock);
> 4442
> 4443     		/* If the node is not being used by another discovery thread,
> 4444     		 * and we are sending a reject, we are done with it.
> 
> Fix by adding a check for non-null shost in line 4438.
> The scenario when shost is set to null is when ndlp is null.
> As such, the ndlp check present was sufficient. But better safe
> than sorry so add the shost check.
> 
> Reported-by: coverity-bot <keescook+coverity-bot@chromium.org>
> Addresses-Coverity-ID: 101747 ("Null pointer dereferences")
> Fixes: 2e0fef85e098 ("[SCSI] lpfc: NPIV: split ports")
> 
> Signed-off-by: Dick Kennedy <dick.kennedy@broadcom.com>
> Signed-off-by: James Smart <jsmart2021@gmail.com>
> CC: James Bottomley <James.Bottomley@SteelEye.com>
> CC: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
> CC: linux-next@vger.kernel.org
> ---
>  drivers/scsi/lpfc/lpfc_els.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/scsi/lpfc/lpfc_els.c b/drivers/scsi/lpfc/lpfc_els.c
> index 9a570c15b2a1..42a2bf38eaea 100644
> --- a/drivers/scsi/lpfc/lpfc_els.c
> +++ b/drivers/scsi/lpfc/lpfc_els.c
> @@ -4445,7 +4445,7 @@ lpfc_cmpl_els_rsp(struct lpfc_hba *phba, struct lpfc_iocbq *cmdiocb,
>  		mempool_free(mbox, phba->mbox_mem_pool);
>  	}
>  out:
> -	if (ndlp && NLP_CHK_NODE_ACT(ndlp)) {
> +	if (ndlp && NLP_CHK_NODE_ACT(ndlp) && shost) {
>  		spin_lock_irq(shost->host_lock);
>  		ndlp->nlp_flag &= ~(NLP_ACC_REGLOGIN | NLP_RM_DFLT_RPI);
>  		spin_unlock_irq(shost->host_lock);

Reviewed-by: Ewan D. Milne <emilne@redhat.com>


^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2019-11-12 18:30 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
     [not found] <20191111230401.12958-1-jsmart2021@gmail.com>
2019-11-11 23:03 ` [PATCH 1/6] lpfc: fix: Coverity: lpfc_get_scsi_buf_s3(): Null pointer dereferences James Smart
2019-11-12 18:30   ` Ewan D. Milne
2019-11-11 23:03 ` [PATCH 2/6] lpfc: fix: Coverity: lpfc_cmpl_els_rsp(): " James Smart
2019-11-12 18:30   ` Ewan D. Milne

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox