| Message ID | 20201118131345.460631-1-colin.king@canonical.com |
|---|---|
| State | New |
| Headers | show |
| Series | [next] scsi: lpfc: fix pointer defereference before it is null checked issue | expand |
On 11/18/2020 5:13 AM, Colin King wrote: > From: Colin Ian King <colin.king@canonical.com> > > There is a null check on pointer lpfc_cmd after the pointer has been > dereferenced when pointers rdata and ndlp are initialized at the start > of the function. Fix this by only assigning rdata and ndlp after the > pointer lpfc_cmd has been null checked. > > Addresses-Coverity: ("Dereference before null check") > Fixes: 96e209be6ecb ("scsi: lpfc: Convert SCSI I/O completions to SLI-3 and SLI-4 handlers") > Signed-off-by: Colin Ian King <colin.king@canonical.com> > --- > drivers/scsi/lpfc/lpfc_scsi.c | 7 +++++-- > 1 file changed, 5 insertions(+), 2 deletions(-) > > diff --git a/drivers/scsi/lpfc/lpfc_scsi.c b/drivers/scsi/lpfc/lpfc_scsi.c > index f989490359a5..3b989f720937 100644 > --- a/drivers/scsi/lpfc/lpfc_scsi.c > +++ b/drivers/scsi/lpfc/lpfc_scsi.c > @@ -4022,8 +4022,8 @@ lpfc_fcp_io_cmd_wqe_cmpl(struct lpfc_hba *phba, struct lpfc_iocbq *pwqeIn, > struct lpfc_io_buf *lpfc_cmd = > (struct lpfc_io_buf *)pwqeIn->context1; > struct lpfc_vport *vport = pwqeIn->vport; > - struct lpfc_rport_data *rdata = lpfc_cmd->rdata; > - struct lpfc_nodelist *ndlp = rdata->pnode; > + struct lpfc_rport_data *rdata; > + struct lpfc_nodelist *ndlp; > struct scsi_cmnd *cmd; > unsigned long flags; > struct lpfc_fast_path_event *fast_path_evt; > @@ -4040,6 +4040,9 @@ lpfc_fcp_io_cmd_wqe_cmpl(struct lpfc_hba *phba, struct lpfc_iocbq *pwqeIn, > return; > } > > + rdata = lpfc_cmd->rdata; > + ndlp = rdata->pnode; > + > if (bf_get(lpfc_wcqe_c_xb, wcqe)) { > /* TOREMOVE - currently this flag is checked during > * the release of lpfc_iocbq. Remove once we move Looks good. Reviewed-by: James Smart <james.smart@broadcom.com> -- james
Colin, > There is a null check on pointer lpfc_cmd after the pointer has been > dereferenced when pointers rdata and ndlp are initialized at the start > of the function. Fix this by only assigning rdata and ndlp after the > pointer lpfc_cmd has been null checked. Applied to 5.11/scsi-staging, thanks! -- Martin K. Petersen Oracle Linux Engineering
On Wed, 18 Nov 2020 13:13:45 +0000, Colin King wrote: > There is a null check on pointer lpfc_cmd after the pointer has been > dereferenced when pointers rdata and ndlp are initialized at the start > of the function. Fix this by only assigning rdata and ndlp after the > pointer lpfc_cmd has been null checked. Applied to 5.11/scsi-queue, thanks! [1/1] scsi: lpfc: Fix pointer defereference before it is null checked issue https://git.kernel.org/mkp/scsi/c/1e7dddb2e76a -- Martin K. Petersen Oracle Linux Engineering
diff --git a/drivers/scsi/lpfc/lpfc_scsi.c b/drivers/scsi/lpfc/lpfc_scsi.c index f989490359a5..3b989f720937 100644 --- a/drivers/scsi/lpfc/lpfc_scsi.c +++ b/drivers/scsi/lpfc/lpfc_scsi.c @@ -4022,8 +4022,8 @@ lpfc_fcp_io_cmd_wqe_cmpl(struct lpfc_hba *phba, struct lpfc_iocbq *pwqeIn, struct lpfc_io_buf *lpfc_cmd = (struct lpfc_io_buf *)pwqeIn->context1; struct lpfc_vport *vport = pwqeIn->vport; - struct lpfc_rport_data *rdata = lpfc_cmd->rdata; - struct lpfc_nodelist *ndlp = rdata->pnode; + struct lpfc_rport_data *rdata; + struct lpfc_nodelist *ndlp; struct scsi_cmnd *cmd; unsigned long flags; struct lpfc_fast_path_event *fast_path_evt; @@ -4040,6 +4040,9 @@ lpfc_fcp_io_cmd_wqe_cmpl(struct lpfc_hba *phba, struct lpfc_iocbq *pwqeIn, return; } + rdata = lpfc_cmd->rdata; + ndlp = rdata->pnode; + if (bf_get(lpfc_wcqe_c_xb, wcqe)) { /* TOREMOVE - currently this flag is checked during * the release of lpfc_iocbq. Remove once we move