Received: by 2002:a05:6a10:eb17:0:0:0:0 with SMTP id hx23csp1013280pxb; Thu, 9 Sep 2021 18:00:35 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyxHsyzW4LsuCbC56pb6/olIBV1yh2FIeZE3XHnwS9JIUwhpDcHmL9RfoNPM296zS+SR99o X-Received: by 2002:a6b:24d:: with SMTP id 74mr5036583ioc.134.1631235635533; Thu, 09 Sep 2021 18:00:35 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1631235635; cv=none; d=google.com; s=arc-20160816; b=EvOrzHtjlQjkFrqLOptmjTlf5IkoE3QJeKl8mYJpTPxOP6oNn3JUh+DdZ3SFVs71ps dT4HK1cqZcm/ozgo1+f7vDVM+39UnmL/fZ2HRw4Ls+lSINGavEtYbmmdUg86UNYKCHnw GDjorFdSLHpqfz2Pzy5Q0MdYa6vhBZ6i73q2iIZlBot0z44fGRv/vJuroxorW0+QCJHk NtjOOAuXe65bqQOQaZTy4B7WCoCfdakYmMbjvuCfsxzgxIp5x0B+knyGBGQ3q8qjzSJ9 HY3VhD7YoU2c7or182s/ypL5gysxrTRv1zEAllhGpqLme6lPgXXRBZmqYGcOWd3gXozZ +2tA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=8npr6ntXj1sgWGgNL8dh4r7apnCiqjZqKSjL58QnJOg=; b=tejqP0iMpvP7yapg8mqU+t3RyRri1OoyCC5+zPKYTC+Ti58VoAvd+E8vJqETyNJ+AA LOl5fX7P+BqCLmlZ8YqTLuQ6zTDZdJ+eYpPrs9w03UDo5o0O/9gO3n0DnPtB9R6wyOT/ UZOUqVjSMNr7U/e4yVJC9mia3f87jgPY9nOUGFIfAeZlx7ZDzJ8+SvIXNDoQwDg5U2Bj p6hCVV7/VntGFAnI1hgsuLj3SAd2x5pCM8JRu8WVdNSRUfdF9azI6XK+rPLXIDLR3SLo 7CrVSNCS6rWZkgV8iJv+/YV0OJawLg6oRUTFPV0ik2jD+GcZM3n36z+9iLzA4HCIKR// uOZg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=X51R0cjW; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id a3si3602551ilf.18.2021.09.09.18.00.23; Thu, 09 Sep 2021 18:00:35 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=X51R0cjW; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S244824AbhIJBAH (ORCPT + 99 others); Thu, 9 Sep 2021 21:00:07 -0400 Received: from mail.kernel.org ([198.145.29.99]:48788 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234398AbhIJAXS (ORCPT ); Thu, 9 Sep 2021 20:23:18 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id F10B0610A3; Fri, 10 Sep 2021 00:22:06 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1631233327; bh=1s48qfc84dtCcoBzLsBwjVjE0Ybz2OhWliyLTBOc5FI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=X51R0cjWx6vgEUFzER6q9gf+Kfw4WqCXdxdqKA4R/4MK0XWGIq6eInb3Ex8WbpaPx hYHOwWUwvDeDXVbjPWHZtrcd3UfoOj2Luwf8V8ycDTvSkyopizcW4O9ccUrca0cvWR qZOaRQLaN4zDBou7kbDwI8pv2KZUEdnAab2eW7uoIlV1MHybsO+abhgmae+qQeYeeZ G/DBpLpJF3QKeWAPyCJ8QZvhcBjMR9TfR0Ee4KSD6tJzqtsZWcuIwjDbdS8m7GtjRt jURZXQULTb0xZQYC9J9Y5Hj9XmOwFeooR0DGTlSAnzkJCDlmMqZeyGHM8f520FPzmm UYLkyVUn0Jy1g== From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Tuo Li , TOTE Robot , Bodo Stroesser , "Martin K . Petersen" , Sasha Levin , linux-scsi@vger.kernel.org, target-devel@vger.kernel.org Subject: [PATCH AUTOSEL 5.4 18/37] scsi: target: pscsi: Fix possible null-pointer dereference in pscsi_complete_cmd() Date: Thu, 9 Sep 2021 20:21:23 -0400 Message-Id: <20210910002143.175731-18-sashal@kernel.org> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210910002143.175731-1-sashal@kernel.org> References: <20210910002143.175731-1-sashal@kernel.org> MIME-Version: 1.0 X-stable: review X-Patchwork-Hint: Ignore Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Tuo Li [ Upstream commit 0f99792c01d1d6d35b86e850e9ccadd98d6f3e0c ] The return value of transport_kmap_data_sg() is assigned to the variable buf: buf = transport_kmap_data_sg(cmd); And then it is checked: if (!buf) { This indicates that buf can be NULL. However, it is dereferenced in the following statements: if (!(buf[3] & 0x80)) buf[3] |= 0x80; if (!(buf[2] & 0x80)) buf[2] |= 0x80; To fix these possible null-pointer dereferences, dereference buf and call transport_kunmap_data_sg() only when buf is not NULL. Link: https://lore.kernel.org/r/20210810040414.248167-1-islituo@gmail.com Reported-by: TOTE Robot Reviewed-by: Bodo Stroesser Signed-off-by: Tuo Li Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin --- drivers/target/target_core_pscsi.c | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/drivers/target/target_core_pscsi.c b/drivers/target/target_core_pscsi.c index 55fe93296deb..17811bb07e9f 100644 --- a/drivers/target/target_core_pscsi.c +++ b/drivers/target/target_core_pscsi.c @@ -622,17 +622,17 @@ static void pscsi_complete_cmd(struct se_cmd *cmd, u8 scsi_status, buf = transport_kmap_data_sg(cmd); if (!buf) { ; /* XXX: TCM_LOGICAL_UNIT_COMMUNICATION_FAILURE */ - } - - if (cdb[0] == MODE_SENSE_10) { - if (!(buf[3] & 0x80)) - buf[3] |= 0x80; } else { - if (!(buf[2] & 0x80)) - buf[2] |= 0x80; - } + if (cdb[0] == MODE_SENSE_10) { + if (!(buf[3] & 0x80)) + buf[3] |= 0x80; + } else { + if (!(buf[2] & 0x80)) + buf[2] |= 0x80; + } - transport_kunmap_data_sg(cmd); + transport_kunmap_data_sg(cmd); + } } } after_mode_sense: -- 2.30.2