public inbox for linux-scsi@vger.kernel.org
 help / color / mirror / Atom feed
From: Alexander Strakh <strakh@ispras.ru>
To: Eric Moore <Eric.Moore@lsi.com>,
	support@lsi.com, DL-MPTFusionLinux@lsi.com,
	linux-scsi@vger.kernel.org
Subject: BUG null dereference in drivers/message/fusion/mptscsih.c
Date: Mon, 14 Dec 2009 21:02:32 +0000	[thread overview]
Message-ID: <200912142102.32774.strakh@ispras.ru> (raw)

	KERNEL_VERSION: 2.6.32
	SUBJECT: null dereference in function mptscsih_qcmd
	DESCRIBE:
	In ./drivers/ata/sata_mv.c in function mptscsih_qcmd 

Null dereference in line 1371 of vdevice (vdevice->vtarget->id).
We assume that it may be null, because we check it in line 1361 in the if 
statement. (if vdevice is null we goto to the else part in line 1366)

1300 int
1301 mptscsih_qcmd(struct scsi_cmnd *SCpnt, void (*done)(struct scsi_cmnd *))
1302 {
...
1361         if (vdevice
1362             && (vdevice->vtarget->tflags & MPT_TARGET_FLAGS_Q_YES)
1363             && (SCpnt->device->tagged_supported)) {
1364                 scsictl = scsidir | MPI_SCSIIO_CONTROL_SIMPLEQ;
1365         } else {
1366                 scsictl = scsidir | MPI_SCSIIO_CONTROL_UNTAGGED;
1367         }
1368
1369         /* Use the above information to set up the message frame
1370          */
1371         pScsiReq->TargetID = (u8) vdevice->vtarget->id;
1372         pScsiReq->Bus = vdevice->vtarget->channel;
...
}

Found by Linux Device Drivers Verification Project (Svace Detector)

                 reply	other threads:[~2009-12-14 16:56 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=200912142102.32774.strakh@ispras.ru \
    --to=strakh@ispras.ru \
    --cc=DL-MPTFusionLinux@lsi.com \
    --cc=Eric.Moore@lsi.com \
    --cc=linux-scsi@vger.kernel.org \
    --cc=support@lsi.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox