[PATCH AUTOSEL 4.19 090/237] scsi: hisi_sas: Fix NULL pointer dereference

public inbox for linux-scsi@vger.kernel.org
 help / color / mirror / Atom feed

From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: "Gustavo A. R. Silva" <gustavo@embeddedor.com>,
	Xiang Chen <chenxiang66@hisilicon.com>,
	"Martin K . Petersen" <martin.petersen@oracle.com>,
	Sasha Levin <sashal@kernel.org>,
	linux-scsi@vger.kernel.org
Subject: [PATCH AUTOSEL 4.19 090/237] scsi: hisi_sas: Fix NULL pointer dereference
Date: Sat, 16 Nov 2019 10:38:45 -0500	[thread overview]
Message-ID: <20191116154113.7417-90-sashal@kernel.org> (raw)
In-Reply-To: <20191116154113.7417-1-sashal@kernel.org>

From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>

[ Upstream commit f4445bb93d82a984657b469e63118c2794a4c3d3 ]

There is a NULL pointer dereference in case *slot* happens to be NULL at
lines 1053 and 1878:

struct hisi_sas_cq *cq =
	&hisi_hba->cq[slot->dlvry_queue];

Notice that *slot* is being NULL checked at lines 1057 and 1881:
if (slot), which implies it may be NULL.

Fix this by placing the declaration and definition of variable cq, which
contains the pointer dereference slot->dlvry_queue, after slot has been
properly NULL checked.

Addresses-Coverity-ID: 1474515 ("Dereference before null check")
Addresses-Coverity-ID: 1474520 ("Dereference before null check")
Fixes: 584f53fe5f52 ("scsi: hisi_sas: Fix the race between IO completion and timeout for SMP/internal IO")
Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
Reviewed-by: Xiang Chen <chenxiang66@hisilicon.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/scsi/hisi_sas/hisi_sas_main.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/drivers/scsi/hisi_sas/hisi_sas_main.c b/drivers/scsi/hisi_sas/hisi_sas_main.c
index d4a2625a44232..f478d1f50dfc0 100644
--- a/drivers/scsi/hisi_sas/hisi_sas_main.c
+++ b/drivers/scsi/hisi_sas/hisi_sas_main.c
@@ -1025,11 +1025,11 @@ static int hisi_sas_exec_internal_tmf_task(struct domain_device *device,
 		if ((task->task_state_flags & SAS_TASK_STATE_ABORTED)) {
 			if (!(task->task_state_flags & SAS_TASK_STATE_DONE)) {
 				struct hisi_sas_slot *slot = task->lldd_task;
-				struct hisi_sas_cq *cq =
-					&hisi_hba->cq[slot->dlvry_queue];
 
 				dev_err(dev, "abort tmf: TMF task timeout and not done\n");
 				if (slot) {
+					struct hisi_sas_cq *cq =
+					       &hisi_hba->cq[slot->dlvry_queue];
 					/*
 					 * flush tasklet to avoid free'ing task
 					 * before using task in IO completion
@@ -1856,10 +1856,10 @@ hisi_sas_internal_task_abort(struct hisi_hba *hisi_hba,
 	if ((task->task_state_flags & SAS_TASK_STATE_ABORTED)) {
 		if (!(task->task_state_flags & SAS_TASK_STATE_DONE)) {
 			struct hisi_sas_slot *slot = task->lldd_task;
-			struct hisi_sas_cq *cq =
-				&hisi_hba->cq[slot->dlvry_queue];
 
 			if (slot) {
+				struct hisi_sas_cq *cq =
+					&hisi_hba->cq[slot->dlvry_queue];
 				/*
 				 * flush tasklet to avoid free'ing task
 				 * before using task in IO completion
-- 
2.20.1

next prev parent reply	other threads:[~2019-11-16 15:43 UTC|newest]

Thread overview: 20+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <20191116154113.7417-1-sashal@kernel.org>
2019-11-16 15:37 ` [PATCH AUTOSEL 4.19 034/237] scsi: hisi_sas: Feed back linkrate(max/min) when re-attached Sasha Levin
2019-11-16 15:37 ` [PATCH AUTOSEL 4.19 035/237] scsi: hisi_sas: Fix the race between IO completion and timeout for SMP/internal IO Sasha Levin
2019-11-16 15:37 ` [PATCH AUTOSEL 4.19 036/237] scsi: hisi_sas: Free slot later in slot_complete_vx_hw() Sasha Levin
2019-11-16 15:38 ` [PATCH AUTOSEL 4.19 045/237] scsi: ips: fix missing break in switch Sasha Levin
2019-11-16 15:38 ` [PATCH AUTOSEL 4.19 051/237] scsi: isci: Use proper enumerated type in atapi_d2h_reg_frame_handler Sasha Levin
2019-11-16 15:38 ` [PATCH AUTOSEL 4.19 052/237] scsi: isci: Change sci_controller_start_task's return type to sci_status Sasha Levin
2019-11-16 15:38 ` [PATCH AUTOSEL 4.19 053/237] scsi: bfa: Avoid implicit enum conversion in bfad_im_post_vendor_event Sasha Levin
2019-11-16 15:38 ` [PATCH AUTOSEL 4.19 054/237] scsi: iscsi_tcp: Explicitly cast param in iscsi_sw_tcp_host_get_param Sasha Levin
2019-11-16 15:38 ` [PATCH AUTOSEL 4.19 063/237] scsi: dc395x: fix dma API usage in srb_done Sasha Levin
2019-11-16 15:38 ` [PATCH AUTOSEL 4.19 064/237] scsi: dc395x: fix DMA API usage in sg_update_list Sasha Levin
2019-11-16 15:38 ` [PATCH AUTOSEL 4.19 065/237] scsi: zorro_esp: Limit DMA transfers to 65535 bytes Sasha Levin
2019-11-16 15:38 ` Sasha Levin [this message]
2019-11-16 15:40 ` [PATCH AUTOSEL 4.19 207/237] scsi: mpt3sas: Fix Sync cache command failure during driver unload Sasha Levin
2019-11-16 15:40 ` [PATCH AUTOSEL 4.19 208/237] scsi: mpt3sas: Don't modify EEDPTagMode field setting on SAS3.5 HBA devices Sasha Levin
2019-11-16 15:40 ` [PATCH AUTOSEL 4.19 209/237] scsi: mpt3sas: Fix driver modifying persistent data in Manufacturing page11 Sasha Levin
2019-11-16 15:40 ` [PATCH AUTOSEL 4.19 210/237] scsi: megaraid_sas: Fix msleep granularity Sasha Levin
2019-11-16 15:40 ` [PATCH AUTOSEL 4.19 211/237] scsi: megaraid_sas: Fix goto labels in error handling Sasha Levin
2019-11-16 15:40 ` [PATCH AUTOSEL 4.19 212/237] scsi: lpfc: fcoe: Fix link down issue after 1000+ link bounces Sasha Levin
2019-11-16 15:40 ` [PATCH AUTOSEL 4.19 213/237] scsi: lpfc: Fix odd recovery in duplicate FLOGIs in point-to-point Sasha Levin
2019-11-16 15:40 ` [PATCH AUTOSEL 4.19 214/237] scsi: lpfc: Correct loss of fc4 type on remote port address change Sasha Levin

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:d4a2625a4423 dfblob:f478d1f50dfc )
 OR (
bs:"[PATCH AUTOSEL 4.19 090/237] scsi: hisi_sas: Fix NULL pointer dereference" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20191116154113.7417-90-sashal@kernel.org \
    --to=sashal@kernel.org \
    --cc=chenxiang66@hisilicon.com \
    --cc=gustavo@embeddedor.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-scsi@vger.kernel.org \
    --cc=martin.petersen@oracle.com \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox