Received: by 2002:a05:6358:11c7:b0:104:8066:f915 with SMTP id i7csp2304768rwl; Thu, 6 Apr 2023 08:26:14 -0700 (PDT) X-Google-Smtp-Source: AKy350Zk72G7ZupfrPSXPatrk3bJbrSgx1/2kF3QBgs1T87z6c7H6onMKk0zNLelIuHDCl2Lce1t X-Received: by 2002:a17:906:8388:b0:939:a610:fc32 with SMTP id p8-20020a170906838800b00939a610fc32mr6502563ejx.53.1680794774647; Thu, 06 Apr 2023 08:26:14 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1680794774; cv=none; d=google.com; s=arc-20160816; b=szgMcW169VrZ7SvF1wP6Ww3orUdQVCKWTc6LLlCsRaeY6heBDI5dtJQS10WxiRH0FA o3J07Zp+afO44rBe+wU1Vm8d1nP8lLpE/cGLf1vmchqhBXF4x+3j+vsHvzhFb8ZxouIp mG/U+iFO1HRHEZKqfp1iNibyXmkWs7fOA4IQDku7tWdqvBPIwBFXGdvh0Yf0q+C4qd7I SHOs0nk0jnxtnbHcx7qm35Rjez8Hv4tRpBZk2RNnlmGky3IpBpdt2hQLsuoVD9MISHdF womZlZUGaoYKTCL0EnT0mQgWai0I4bojG029jUrXvqiJ/Nyi+3tATO/8FRMmBWRAb7PE ZCPA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=uT6P8O/ObGQAv1KfFPSPTzaiH0ko44WcONlGqu7lgcM=; b=kyY6zf22JYvsiL2EcXvaLluiQs/nLZGHIwurBTYCx9Xzs327jccBfuuhlgerooVRMi qXqnXUAEDqHnyyzhF2ZgZUtMZK9rMR55D0SrI9oUuAKYMXg0h7cnjyB29Lj2EKyYAOsj ceB/EZaGnkn8wwKncnHbeExqFINDGj2tDReGC4Db/VxPohBtlHf4Ast1o0JuOSgM/lNX 0QtQe7vDR4zjjjfOai+GDey/WdIe0nOwKi/J0kg6gmqYWw1Epk7nEZBH7fYB+Z18a5su DVdtQbj/Q5VWdzikmX0YU7Pl8npmIdUSb1UcvMkt8Z1ta4389dk5w0n2r7RuCu+BPFLK Ngkw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@yandex-team.ru header.s=default header.b=vVBmP036; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=yandex-team.ru Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id ht10-20020a170907608a00b00930d1b8e44dsi1615373ejc.345.2023.04.06.08.25.48; Thu, 06 Apr 2023 08:26:14 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@yandex-team.ru header.s=default header.b=vVBmP036; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=yandex-team.ru Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239660AbjDFPJc (ORCPT + 99 others); Thu, 6 Apr 2023 11:09:32 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33440 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229485AbjDFPJ3 (ORCPT ); Thu, 6 Apr 2023 11:09:29 -0400 X-Greylist: delayed 183 seconds by postgrey-1.37 at lindbergh.monkeyblade.net; Thu, 06 Apr 2023 08:09:04 PDT Received: from forwardcorp1b.mail.yandex.net (forwardcorp1b.mail.yandex.net [IPv6:2a02:6b8:c02:900:1:45:d181:df01]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1E89A49FF; Thu, 6 Apr 2023 08:09:04 -0700 (PDT) Received: from mail-nwsmtp-smtp-corp-canary-81.sas.yp-c.yandex.net (mail-nwsmtp-smtp-corp-canary-81.sas.yp-c.yandex.net [IPv6:2a02:6b8:c14:5708:0:640:5704:0]) by forwardcorp1b.mail.yandex.net (Yandex) with ESMTP id 523C360263; Thu, 6 Apr 2023 18:04:12 +0300 (MSK) Received: from den-plotnikov-w.yandex-team.ru (unknown [2a02:6b8:b081:b509::1:20]) by mail-nwsmtp-smtp-corp-canary-81.sas.yp-c.yandex.net (smtpcorp/Yandex) with ESMTPSA id 54SddM0OoiE0-BlJ8zXkE; Thu, 06 Apr 2023 18:04:11 +0300 X-Yandex-Fwd: 1 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex-team.ru; s=default; t=1680793451; bh=uT6P8O/ObGQAv1KfFPSPTzaiH0ko44WcONlGqu7lgcM=; h=Message-Id:Date:Cc:Subject:To:From; b=vVBmP036Ddx8dYBXXWchfwThvZXoPY/JdtPoqqu1z53chZD8mixRIBDEV51FdK1OB cki+wXjp7Sd10zuDF9Ys0vIxjRgEjoB/xYGkhQtT4m4qJlTJFt6YMMgY+Iv6sKYXbF 43Z7c5r7SH5IS8tSfIop8fGwuzu1KhvyWjZ+cjas= Authentication-Results: mail-nwsmtp-smtp-corp-canary-81.sas.yp-c.yandex.net; dkim=pass header.i=@yandex-team.ru From: Denis Plotnikov To: linux-scsi@vger.kernel.org Cc: linux-kernel@vger.kernel.org, den-plotnikov@yandex-team.ru, target-devel@vger.kernel.org, varun@chelsio.com, nab@linux-iscsi.org, martin.petersen@oracle.com Subject: [PATCH] scsi: target: cxgbit: check skb dequeue result Date: Thu, 6 Apr 2023 18:04:05 +0300 Message-Id: <20230406150405.300909-1-den-plotnikov@yandex-team.ru> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-0.2 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On a couple of abort packet paths skb dequeuing may end up with returning NULL, which, in turn, may end up with further null pointer dereference. Fix it by checking the return value of skb dequeuing. Found by Linux Verification Center(linuxtesting.org) with SVACE. Fixes: 9730ffcb8957 (cxgbit: add files for cxgbit.ko) Signed-off-by: Denis Plotnikov --- drivers/target/iscsi/cxgbit/cxgbit_cm.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/drivers/target/iscsi/cxgbit/cxgbit_cm.c b/drivers/target/iscsi/cxgbit/cxgbit_cm.c index 518ded214e74..d43fd761c20a 100644 --- a/drivers/target/iscsi/cxgbit/cxgbit_cm.c +++ b/drivers/target/iscsi/cxgbit/cxgbit_cm.c @@ -669,6 +669,9 @@ static int cxgbit_send_abort_req(struct cxgbit_sock *csk) cxgbit_send_tx_flowc_wr(csk); skb = __skb_dequeue(&csk->skbq); + if (!skb) + return 0; + cxgb_mk_abort_req(skb, len, csk->tid, csk->txq_idx, csk->com.cdev, cxgbit_abort_arp_failure); @@ -1769,9 +1772,10 @@ static void cxgbit_abort_req_rss(struct cxgbit_sock *csk, struct sk_buff *skb) cxgbit_send_tx_flowc_wr(csk); rpl_skb = __skb_dequeue(&csk->skbq); - - cxgb_mk_abort_rpl(rpl_skb, len, csk->tid, csk->txq_idx); - cxgbit_ofld_send(csk->com.cdev, rpl_skb); + if (!rpl_skb) { + cxgb_mk_abort_rpl(rpl_skb, len, csk->tid, csk->txq_idx); + cxgbit_ofld_send(csk->com.cdev, rpl_skb); + } if (wakeup_thread) { cxgbit_queue_rx_skb(csk, skb); -- 2.25.1