Received: by 2002:a05:6358:c692:b0:131:369:b2a3 with SMTP id fe18csp182904rwb; Thu, 27 Jul 2023 11:05:06 -0700 (PDT) X-Google-Smtp-Source: APBJJlFGyACOumUTW3AMaCJlaPJ9V2wd8F3BCVxzzH0zeQDwpjdoQqdb0rtLd2EV9q52I/AR8/eV X-Received: by 2002:a17:90a:c7d6:b0:262:fbb0:8737 with SMTP id gf22-20020a17090ac7d600b00262fbb08737mr55093pjb.33.1690481105901; Thu, 27 Jul 2023 11:05:05 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1690481105; cv=none; d=google.com; s=arc-20160816; b=XiK26JuC/yZDxuWeJ8uq/ezKUEs9EoU1EUtuXq/J7al+z/INpuEObfs6f1noyem+OU 1EINZhbG5gev2h4/VVdyRfZMQ1TQaN4vwj94ONLj299CxWaGzg+Ih2OVobWkj1h25Ne4 6qU7FXwMApbhowj+P1D09Ra7PaELa6aJLFFqAfrQtNh+puLUBBRYTRl7zp2usvdhLw38 lEh5pOqzw2fXxQeJojHdsQkZt1nF2UqrkAifpkKoNogaZUeOHutRZuPSAzELgLdvuZkM XGL7O26zvIExIorCcXlmnfI9NVwh5hBOHGWp4LlT4fi4EVCJMNLEDkJg5J1Y0jRxw4mF VVlg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:date:cc:to:from:subject :message-id:dkim-signature:dkim-signature; bh=56LTbj921g5kS/tHOiwK/ssOcEJD3+FRQOJ0DsDZmVc=; fh=Ob4Vw2VoldUg81FEIo2InOHs/823XOA4cpsYlqlqWfo=; b=OrHUO6Pp/nfc4vzJIFjJpBdBNZAjAhyFZ4IKeLtZCy7oKiIETWfVTlWEscVYzKH5wy qo9RiPt45x6V0TV/Z0nAh+68V3L8L5l/ZB2q/Vl7sqYlBz3W/rMiG23bXv7cgZT74YUA QqEqTGwKiTj2uHfxRaPcUXvPFzWb2yQIZcOW6Wu09LnV8IU/G7yEbt12u5Gb4/hQOj38 8PcuwuXKns2r9797Ld0wQeFe+zbeS1+zxW3pSAPs6WSJ5bf+EyRodpTRjXbtFhbVS/0E PT40T9hlhRKZBgmABcfMxmE/TuxcvJF5ycEuZXi1MeHT9VKM/503ApeZxNyOQ0xH6pNn 91gw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@hansenpartnership.com header.s=20151216 header.b=qKICobUH; dkim=pass header.i=@hansenpartnership.com header.s=20151216 header.b=qKICobUH; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=hansenpartnership.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id k3-20020a170902c40300b001b872e20955si1710323plk.30.2023.07.27.11.04.52; Thu, 27 Jul 2023 11:05:05 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@hansenpartnership.com header.s=20151216 header.b=qKICobUH; dkim=pass header.i=@hansenpartnership.com header.s=20151216 header.b=qKICobUH; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=hansenpartnership.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232993AbjG0RNt (ORCPT + 99 others); Thu, 27 Jul 2023 13:13:49 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45922 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232761AbjG0RNb (ORCPT ); Thu, 27 Jul 2023 13:13:31 -0400 Received: from bedivere.hansenpartnership.com (bedivere.hansenpartnership.com [IPv6:2607:fcd0:100:8a00::2]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3BB6835AF; Thu, 27 Jul 2023 10:13:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=hansenpartnership.com; s=20151216; t=1690477999; bh=iFsAPYra+5zB7SbmQBhq7Uej9I4TXLurpkpXK8lfY88=; h=Message-ID:Subject:From:To:Date:In-Reply-To:References:From; b=qKICobUHVChuchM5XNZtsd3hyErdxqqvEQfrGceKZSedROERX72DR2lIeR38XUcNk z9W+rXIXbcbldrs6SvSLXcajaIllDecFcoXND+HsRb2Lb99fuiEjdsDGudWcyDtUSg mcCg66QeouxTutPCnTj7nuw0N0nUVeMkQ/YA4v4k= Received: from localhost (localhost [127.0.0.1]) by bedivere.hansenpartnership.com (Postfix) with ESMTP id BF6721286121; Thu, 27 Jul 2023 13:13:19 -0400 (EDT) Received: from bedivere.hansenpartnership.com ([127.0.0.1]) by localhost (bedivere.hansenpartnership.com [127.0.0.1]) (amavis, port 10024) with ESMTP id cznVXVcn1UHD; Thu, 27 Jul 2023 13:13:19 -0400 (EDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=hansenpartnership.com; s=20151216; t=1690477999; bh=iFsAPYra+5zB7SbmQBhq7Uej9I4TXLurpkpXK8lfY88=; h=Message-ID:Subject:From:To:Date:In-Reply-To:References:From; b=qKICobUHVChuchM5XNZtsd3hyErdxqqvEQfrGceKZSedROERX72DR2lIeR38XUcNk z9W+rXIXbcbldrs6SvSLXcajaIllDecFcoXND+HsRb2Lb99fuiEjdsDGudWcyDtUSg mcCg66QeouxTutPCnTj7nuw0N0nUVeMkQ/YA4v4k= Received: from lingrow.int.hansenpartnership.com (unknown [IPv6:2601:5c4:4302:c21::c14]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (prime256v1) server-signature RSA-PSS (2048 bits) server-digest SHA256) (Client did not present a certificate) by bedivere.hansenpartnership.com (Postfix) with ESMTPSA id F1853128611A; Thu, 27 Jul 2023 13:13:18 -0400 (EDT) Message-ID: <7e4c7af1adbfa91d05259ae65cade66521c3b182.camel@HansenPartnership.com> Subject: Re: [PATCH] 53c700: add 'slot' check to NULL From: James Bottomley To: Alexandra Diupina Cc: "Martin K. Petersen" , linux-scsi@vger.kernel.org, linux-kernel@vger.kernel.org, lvc-project@linuxtesting.org, Vladimir Telezhnikov Date: Thu, 27 Jul 2023 13:13:15 -0400 In-Reply-To: <20230727153925.15297-1-adiupina@astralinux.ru> References: <20230727153925.15297-1-adiupina@astralinux.ru> Content-Type: text/plain; charset="UTF-8" User-Agent: Evolution 3.42.4 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_PASS,SPF_PASS, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, 2023-07-27 at 18:39 +0300, Alexandra Diupina wrote: > The 'slot' variable allows a NULL value. > It is necessary to add a check for a null > value to avoid dereferencing the null pointer. > > Found by Linux Verification Center (linuxtesting.org) with SVACE. > > Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") > Co-developed-by: Vladimir Telezhnikov > Signed-off-by: Vladimir Telezhnikov > Signed-off-by: Alexandra Diupina > --- >  drivers/scsi/53c700.c | 2 ++ >  1 file changed, 2 insertions(+) > > diff --git a/drivers/scsi/53c700.c b/drivers/scsi/53c700.c > index e1e4f9d10887..8e5468d1733d 100644 > --- a/drivers/scsi/53c700.c > +++ b/drivers/scsi/53c700.c > @@ -1598,6 +1598,8 @@ NCR_700_intr(int irq, void *dev_id) >                                 printk("scsi%d (%d:%d) PHASE MISMATCH > IN SEND MESSAGE %d remain, return %p[%04x], phase %s\n", host- > >host_no, pun, lun, count, (void *)temp, temp - hostdata->pScript, > sbcl_to_string(NCR_700_readb(host, SBCL_REG))); >  #endif >                                 resume_offset = hostdata->pScript + > Ent_SendMessagePhaseMismatch; > +                       } else if (!slot) { > +                               printk(KERN_ERR "53c700: SCSI DONE > HAS NULL SCp\n"); >                         } else if(dsp >= to32bit(&slot->pSG[0].ins) > && I don't believe anyone has ever hit this, but if slot were null, it would have to drop through to the else clause to get a bus reset to kick the device. If we do what you propose above, the driver would hang instead of crashing, which isn't a better outcome. Something like this. James --- diff --git a/drivers/scsi/53c700.c b/drivers/scsi/53c700.c index e1e4f9d10887..5296a13404cf 100644 --- a/drivers/scsi/53c700.c +++ b/drivers/scsi/53c700.c @@ -1598,7 +1598,7 @@ NCR_700_intr(int irq, void *dev_id) printk("scsi%d (%d:%d) PHASE MISMATCH IN SEND MESSAGE %d remain, return %p[%04x], phase %s\n", host->host_no, pun, lun, count, (void *)temp, temp - hostdata->pScript, sbcl_to_string(NCR_700_readb(host, SBCL_REG))); #endif resume_offset = hostdata->pScript + Ent_SendMessagePhaseMismatch; - } else if(dsp >= to32bit(&slot->pSG[0].ins) && + } else if(slot && dsp >= to32bit(&slot->pSG[0].ins) && dsp <= to32bit(&slot->pSG[NCR_700_SG_SEGMENTS].ins)) { int data_transfer = NCR_700_readl(host, DBC_REG) & 0xffffff; int SGcount = (dsp - to32bit(&slot->pSG[0].ins))/sizeof(struct NCR_700_SG_List);