Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp706900imm; Wed, 11 Jul 2018 09:35:20 -0700 (PDT) X-Google-Smtp-Source: AAOMgpfLq/gfjVdIsEZr75x0jx3pJTbJr6Kc/SgRnKfU58E8PEwNtZ1IjlABbqhREvHGrWa5LHvu X-Received: by 2002:a63:5b0d:: with SMTP id p13-v6mr27644166pgb.202.1531326920851; Wed, 11 Jul 2018 09:35:20 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1531326920; cv=none; d=google.com; s=arc-20160816; b=nZZpcvLTnb5mX3WKOLDQZwgDJKTYuDSKElfQPtQf2S8sG92AwlxkjMoqrx+AsOQEfT l6GfNpWjvNJhA3QMw6IhiIb2n1MAV5m3p8KMFTRhJYyZopcZUeoa2ziZeMlnYyCWGBrN nPYi/NTOPPghjdkZjRM6QK83+yyku1DbUdYgAWCWBrttS1KcePGsGf3yvwaHo2NhxMF2 51BfBlkpGmdwwVt6ObRNkKLaAdP/IRGm76a2yjqJcmAWFHnVY0LyFkocSLAEmxqTrd5U 0yYFdfKMEaY95fgL9xcbbWEj3gxxbNNybL+OOepybB+3UufQT42ZzG/ufe+POTngujg9 F1xw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:arc-authentication-results; bh=+WZ3iSsII2sPohs6yhgMqYtMdcVQWgRSs7A5mte0jHw=; b=NCPT58QBQGpG6VYLFHW4/qZUWjNUhWjS761oBg5EL42jMNUmP0yYD3wRUo6qmMjt4x 8yFcWYJvxRLyapqSD0YWce5Oadp4zCvPTRzdXLVWsA5MgEGiOzznSeM1uf0QQ5hHrAMS 3+jQ9l9nFtpUJdoR67L6G8GE+7klhV7LyhEuy42eChZyUFyFbZfgrR6CY+/DaxV/uhQg lG/rAc40DgpWfp0O6Urn49L9pwwYuw7sH/GtkZDhFojOYKcunBiTE2dTZI+DakMhB7TF lPa4NkEKNTemrn5U9ywOce4v0/Pp28DpoVDDUqgCOwD/BZ5z9aIh6beB3xq9HcDQJCy5 PIEA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=canonical.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id y17-v6si18566583plp.219.2018.07.11.09.35.05; Wed, 11 Jul 2018 09:35:20 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=canonical.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2388182AbeGKNtF (ORCPT + 99 others); Wed, 11 Jul 2018 09:49:05 -0400 Received: from youngberry.canonical.com ([91.189.89.112]:50018 "EHLO youngberry.canonical.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2388040AbeGKNtF (ORCPT ); Wed, 11 Jul 2018 09:49:05 -0400 Received: from 1.general.cking.uk.vpn ([10.172.193.212] helo=localhost) by youngberry.canonical.com with esmtpsa (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.76) (envelope-from ) id 1fdFQ4-0004Xr-Co; Wed, 11 Jul 2018 13:44:36 +0000 From: Colin King To: James Smart , Dick Kennedy , "James E . J . Bottomley" , "Martin K . Petersen" , linux-scsi@vger.kernel.org Cc: kernel-janitors@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH][scsi-next] scsi: lpfc: fix null pointer dereference on nvmebuf Date: Wed, 11 Jul 2018 14:44:36 +0100 Message-Id: <20180711134436.21963-1-colin.king@canonical.com> X-Mailer: git-send-email 2.17.1 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Colin Ian King The check of nvmebuf suggests that it can be null, however a recent change dereferences it to determine oxid before it is null checked, hence there is a potential null deference on the pointer. Fix this by performing the null check first. Also remove the oxid from the debug log message as this is no longer valid. I considered an early fetch of oxid if nvmebuf was valid, however, what oxid should be set to if nvembuf is null could lead to an ambiguous logging of an invalid oxid, so I thought just removing it from the logging was the least confusion solution. Detected by CoverityScan, CID#1471753 ("Dereference before null check") Fixes: 68c9b55deea5 ("scsi: lpfc: Fix abort error path for NVMET") Signed-off-by: Colin Ian King --- drivers/scsi/lpfc/lpfc_nvmet.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/drivers/scsi/lpfc/lpfc_nvmet.c b/drivers/scsi/lpfc/lpfc_nvmet.c index 22f8a204b69f..01652d9ac619 100644 --- a/drivers/scsi/lpfc/lpfc_nvmet.c +++ b/drivers/scsi/lpfc/lpfc_nvmet.c @@ -1742,12 +1742,9 @@ lpfc_nvmet_unsol_ls_buffer(struct lpfc_hba *phba, struct lpfc_sli_ring *pring, uint32_t *payload; uint32_t size, oxid, sid, rc; - fc_hdr = (struct fc_frame_header *)(nvmebuf->hbuf.virt); - oxid = be16_to_cpu(fc_hdr->fh_ox_id); - if (!nvmebuf || !phba->targetport) { lpfc_printf_log(phba, KERN_ERR, LOG_NVME_IOERR, - "6154 LS Drop IO x%x\n", oxid); + "6154 LS Drop IO\n"); oxid = 0; size = 0; sid = 0; @@ -1755,6 +1752,9 @@ lpfc_nvmet_unsol_ls_buffer(struct lpfc_hba *phba, struct lpfc_sli_ring *pring, goto dropit; } + fc_hdr = (struct fc_frame_header *)(nvmebuf->hbuf.virt); + oxid = be16_to_cpu(fc_hdr->fh_ox_id); + tgtp = (struct lpfc_nvmet_tgtport *)phba->targetport->private; payload = (uint32_t *)(nvmebuf->dbuf.virt); size = bf_get(lpfc_rcqe_length, &nvmebuf->cq_event.cqe.rcqe_cmpl); -- 2.17.1