Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp2581566imm; Thu, 18 Oct 2018 17:54:53 -0700 (PDT) X-Google-Smtp-Source: ACcGV60dT0BQ6UymzaB6Mu51l2noVCyttoBKDZSxET+pRFBqYUQBFQC+WFg/2fX8xZzgT8hNmRFg X-Received: by 2002:a63:fa09:: with SMTP id y9-v6mr30490783pgh.177.1539910493722; Thu, 18 Oct 2018 17:54:53 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1539910493; cv=none; d=google.com; s=arc-20160816; b=iW+ZvdvfUpWEk0RS7IH8IIsXyb7MshLyfuGp6HubeXIhcL+STpnA7nQUsLvWSuKa54 MJER6XYFOCemHtdm5vY2CKIGbJpkHeWY4uP7huhGJy58+Gn+ukOUB8h/RG3iYRBQpXs6 l2dmGi4LL/69Wv9xPvDg3bc3EETxMSElXSxoNTUEhAYIAziVRTrJc+CoXKBmQoP4K18f 9sy2jZ/Nsn8gTNkAtw9r5ifFjznRfpyC+/gmQ9ojh7HrSd7T2+PiNejL8bDu8YGEBq0c aOgblwA6avgorwmSYwCY1YKIzUnQhnEC9hSAAD1btfbNJFmQk7EBqTUohNOXEghXS+4W nFMQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:in-reply-to :mime-version:user-agent:date:message-id:from:cc:references:to :subject; bh=LH5aC/Qu1E0p8onYNyOacNot1b7+3E1O7fAcWRDKF3o=; b=ChK5RSPaLGSR7MPIcnxFi6NF0UWPK0hiPIOwbN+LJOSznxJt2YPQcCr5HXlo1oyzjA LlFj9okLWBG7JG0Jx5cS8mSvFgidwm9DbD4fQJtRBu4G+lxvTlqWATm6DK9vW8+lDRfg jvIArTMcg5AdpyPJb2tBVqRsY7M7ezHBzIQYSZ4k2NPxYuwzqFqdH5ZYgjpBERt2VQHR PWa09IbaMlFM5/qcMoViUPGAJ6N/HOHa9xVEQRchWraFWPLoTvErTsWRvzFAYP7oF7Ic 5CqPaoTXWc5YYHZ+iY5KoQaZACEWA1f9YTTQ3awLpB8KC3g7F8/79+3oQcQzM0Is62Mf b1HA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id r12-v6si21948081plo.269.2018.10.18.17.54.37; Thu, 18 Oct 2018 17:54:53 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726747AbeJSI5x (ORCPT + 99 others); Fri, 19 Oct 2018 04:57:53 -0400 Received: from szxga07-in.huawei.com ([45.249.212.35]:39027 "EHLO huawei.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726534AbeJSI5x (ORCPT ); Fri, 19 Oct 2018 04:57:53 -0400 Received: from DGGEMS406-HUB.china.huawei.com (unknown [172.30.72.60]) by Forcepoint Email with ESMTP id 0793D5AB79F7C; Fri, 19 Oct 2018 08:54:10 +0800 (CST) Received: from [127.0.0.1] (10.74.219.194) by DGGEMS406-HUB.china.huawei.com (10.3.19.206) with Microsoft SMTP Server id 14.3.399.0; Fri, 19 Oct 2018 08:54:05 +0800 Subject: Re: [PATCH v2] scsi: hisi_sas: Fix NULL pointer dereference To: "Gustavo A. R. Silva" , John Garry , "James E.J. Bottomley" , "Martin K. Petersen" References: <20181018165939.GA26491@embeddedor.com> CC: , From: "chenxiang (M)" Message-ID: <8bf37d22-8416-2b0b-1049-9c93b73ffc4d@hisilicon.com> Date: Fri, 19 Oct 2018 08:54:04 +0800 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 MIME-Version: 1.0 In-Reply-To: <20181018165939.GA26491@embeddedor.com> Content-Type: text/plain; charset="UTF-8"; format=flowed Content-Transfer-Encoding: 8bit X-Originating-IP: [10.74.219.194] X-CFilter-Loop: Reflected Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 在 2018/10/19 0:59, Gustavo A. R. Silva 写道: > There is a NULL pointer dereference in case *slot* happens to > be NULL at lines 1053 and 1878: > > struct hisi_sas_cq *cq = > &hisi_hba->cq[slot->dlvry_queue]; > > Notice that *slot* is being NULL checked at lines 1057 and 1881: > if (slot), which implies it may be NULL. > > Fix this by placing the declaration and definition of variable cq, > which contains the pointer dereference slot->dlvry_queue, after > slot has been properly NULL checked. > > Addresses-Coverity-ID: 1474515 ("Dereference before null check") > Addresses-Coverity-ID: 1474520 ("Dereference before null check") > Fixes: 584f53fe5f52 ("scsi: hisi_sas: Fix the race between IO completion and timeout for SMP/internal IO") > Signed-off-by: Gustavo A. R. Silva Reviewed-by: Xiang Chen Thanks! > --- > Changes in v2: > - Fix another instance of the same issue at line 1053. > - Update commit log. > > drivers/scsi/hisi_sas/hisi_sas_main.c | 8 ++++---- > 1 file changed, 4 insertions(+), 4 deletions(-) > > diff --git a/drivers/scsi/hisi_sas/hisi_sas_main.c b/drivers/scsi/hisi_sas/hisi_sas_main.c > index 2e5eaf1..b3f01d5 100644 > --- a/drivers/scsi/hisi_sas/hisi_sas_main.c > +++ b/drivers/scsi/hisi_sas/hisi_sas_main.c > @@ -1050,11 +1050,11 @@ static int hisi_sas_exec_internal_tmf_task(struct domain_device *device, > if ((task->task_state_flags & SAS_TASK_STATE_ABORTED)) { > if (!(task->task_state_flags & SAS_TASK_STATE_DONE)) { > struct hisi_sas_slot *slot = task->lldd_task; > - struct hisi_sas_cq *cq = > - &hisi_hba->cq[slot->dlvry_queue]; > > dev_err(dev, "abort tmf: TMF task timeout and not done\n"); > if (slot) { > + struct hisi_sas_cq *cq = > + &hisi_hba->cq[slot->dlvry_queue]; > /* > * flush tasklet to avoid free'ing task > * before using task in IO completion > @@ -1875,10 +1875,10 @@ hisi_sas_internal_task_abort(struct hisi_hba *hisi_hba, > if ((task->task_state_flags & SAS_TASK_STATE_ABORTED)) { > if (!(task->task_state_flags & SAS_TASK_STATE_DONE)) { > struct hisi_sas_slot *slot = task->lldd_task; > - struct hisi_sas_cq *cq = > - &hisi_hba->cq[slot->dlvry_queue]; > > if (slot) { > + struct hisi_sas_cq *cq = > + &hisi_hba->cq[slot->dlvry_queue]; > /* > * flush tasklet to avoid free'ing task > * before using task in IO completion