public inbox for linux-scsi@vger.kernel.org
 help / color / mirror / Atom feed
* [PATCH] scsi: csiostor: Fix a possible null-pointer dereference in csio_eh_lun_reset_handler()
@ 2025-12-18 12:17 Tuo Li
  0 siblings, 0 replies; 2+ messages in thread
From: Tuo Li @ 2025-12-18 12:17 UTC (permalink / raw)
  To: James.Bottomley, martin.petersen; +Cc: linux-scsi, linux-kernel, Tuo Li

In this function, rn is checked by an if statement. If it is NULL,
execution transfers to the fail label. However, rn may still
be dereferenced later via the following macro:

  CSIO_INC_STATS(rn, n_lun_rst_fail);

To avoid a potential null-pointer dereference, return FAILED directly when
rn is NULL, rather than transferring control to the common fail label.

Signed-off-by: Tuo Li <islituo@gmail.com>
---
 drivers/scsi/csiostor/csio_scsi.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/scsi/csiostor/csio_scsi.c b/drivers/scsi/csiostor/csio_scsi.c
index 34bde6650fae..feb1a9a9390b 100644
--- a/drivers/scsi/csiostor/csio_scsi.c
+++ b/drivers/scsi/csiostor/csio_scsi.c
@@ -2074,7 +2074,7 @@ csio_eh_lun_reset_handler(struct scsi_cmnd *cmnd)
 	struct csio_scsi_level_data sld;
 
 	if (!rn)
-		goto fail;
+		return FAILED;
 
 	csio_dbg(hw, "Request to reset LUN:%llu (ssni:0x%x tgtid:%d)\n",
 		      cmnd->device->lun, rn->flowid, rn->scsi_id);
-- 
2.43.0


^ permalink raw reply related	[flat|nested] 2+ messages in thread
* [PATCH] scsi: csiostor: Fix a possible null-pointer dereference in csio_eh_lun_reset_handler()
@ 2019-07-29  8:51 Jia-Ju Bai
  0 siblings, 0 replies; 2+ messages in thread
From: Jia-Ju Bai @ 2019-07-29  8:51 UTC (permalink / raw)
  To: jejb, martin.petersen, varun, hare, osandov, jthumshirn, axboe
  Cc: linux-scsi, linux-kernel, Jia-Ju Bai

In csio_eh_lun_reset_handler(), there is an if statement on line 2072 to
check whether rn is NULL:
    if (!rn)

When rn is NULL, it is used on line 2217:
    CSIO_INC_STATS(rn, n_lun_rst_fail);

Thus, a possible null-pointer dereference may occur.

To fix this bug, csio_eh_lun_reset_handler() directly returns FAILED
when rn is NULL.

This bug is found by a static analysis tool STCheck written by us.

Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
---
 drivers/scsi/csiostor/csio_scsi.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/scsi/csiostor/csio_scsi.c b/drivers/scsi/csiostor/csio_scsi.c
index 469d0bc9f5fe..c81d743d3544 100644
--- a/drivers/scsi/csiostor/csio_scsi.c
+++ b/drivers/scsi/csiostor/csio_scsi.c
@@ -2070,7 +2070,7 @@ csio_eh_lun_reset_handler(struct scsi_cmnd *cmnd)
 	struct csio_scsi_level_data sld;
 
 	if (!rn)
-		goto fail;
+		return FAILED;
 
 	csio_dbg(hw, "Request to reset LUN:%llu (ssni:0x%x tgtid:%d)\n",
 		      cmnd->device->lun, rn->flowid, rn->scsi_id);
-- 
2.17.0

^ permalink raw reply related	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2025-12-18 12:17 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-12-18 12:17 [PATCH] scsi: csiostor: Fix a possible null-pointer dereference in csio_eh_lun_reset_handler() Tuo Li
  -- strict thread matches above, loose matches on Subject: below --
2019-07-29  8:51 Jia-Ju Bai

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox