| Message ID | 20230727153925.15297-1-adiupina@astralinux.ru |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a59:a985:0:b0:3e4:2afc:c1 with SMTP id t5csp1232805vqo;
Thu, 27 Jul 2023 09:56:30 -0700 (PDT)
X-Google-Smtp-Source:
APBJJlHrnXPAKKvaS4UXW2ntu6RnqilA5z+pm+dICcJUlWZUivDKuIIS7cA5wTjSoaSgTen8DE25
X-Received: by 2002:a17:906:8a50:b0:99b:ddac:d9d9 with SMTP id
gx16-20020a1709068a5000b0099bddacd9d9mr1653683ejc.53.1690476989762;
Thu, 27 Jul 2023 09:56:29 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1690476989; cv=none;
d=google.com; s=arc-20160816;
b=UfVv55rVe4SV2JXaFEtwdVtj0j8m/rrgZHJLNfCi1Mgk6CaiDxLp6J5/dDgDmPNInJ
PxULoNv4SD0eUwuXHudEoleKfLEjCLqCVKteUpNSXUHvh13eVAJ4ctVpu65Ai34G5XOS
MwdyL/TwbpCxE3kh4MsRN8udtiEPQf6d+Vj8vL93TmFoieN1WBETzolyxwoHGhU1lbd0
VTScXbpj0bA95ykmKM7UCWcIzI2Xwxdlnn8YkUoU46su/Yxf9JB6kzudisvMqnNifOsB
dtkF+07aIjDwiqHHAT04f3OprQPnnCt2Y8Ezb+GUNaQYyTkuPdUd1pOd4KKtHV9bAwWO
4wxw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:content-transfer-encoding:mime-version
:message-id:date:subject:cc:to:from;
bh=u82Xys59wwqJ3VbusMmJFEcKcOmb+FUOcX4+DYjlbfU=;
fh=mZS8HZFU7gN9SBjBWyLh338q0VxeOSiALv0upet84Q8=;
b=hEMzOi4EflJM0L4GJEg/mRI8a7e4Gn85qkq1DBJmuGPkQQnmeupkMyCXcL19VXQF9y
J+wKF/0qZafh1kxHZXxK3m5zXk9kaEYCG1+gEIyEZhmp7daHMRnDWeCT5rP3BaqGwbo4
/JCO1eMXHZuTodRRdR3SQKvGI/ao/tlS+ms2iVaftkx/HLMxEK/98eAHCPtfyfVmYBE7
MUKidQ3j1YywzP5ys+TT2TnLm2s27+ie5h7lOi2UDlqrlxjaI/fOu5Hc3nXu3KUIwg6E
gCBijqYwKRqilYkZF4mA2mJu5tSjSCrl0k3F5F1D+T6bCPd+nLjstk3pIzu6jAOV7acq
oxuA==
ARC-Authentication-Results: i=1; mx.google.com;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
by mx.google.com with ESMTP id
a2-20020a1709065f8200b00987d26a0998si1328616eju.455.2023.07.27.09.56.04;
Thu, 27 Jul 2023 09:56:29 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S233169AbjG0PkH (ORCPT <rfc822;hanasaki@gmail.com> + 99 others);
Thu, 27 Jul 2023 11:40:07 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46626 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S232813AbjG0PkE (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Thu, 27 Jul 2023 11:40:04 -0400
Received: from mail.astralinux.ru (mail.astralinux.ru [217.74.38.119])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 133052122;
Thu, 27 Jul 2023 08:40:03 -0700 (PDT)
Received: from localhost (localhost.localdomain [127.0.0.1])
by mail.astralinux.ru (Postfix) with ESMTP id 17BB7186AAC1;
Thu, 27 Jul 2023 18:39:30 +0300 (MSK)
Received: from mail.astralinux.ru ([127.0.0.1])
by localhost (rbta-msk-vsrv-mail01.astralinux.ru [127.0.0.1])
(amavisd-new, port 10032)
with ESMTP id Z4YePX_NlhbN; Thu, 27 Jul 2023 18:39:29 +0300 (MSK)
Received: from localhost (localhost.localdomain [127.0.0.1])
by mail.astralinux.ru (Postfix) with ESMTP id B7655186AAA0;
Thu, 27 Jul 2023 18:39:29 +0300 (MSK)
X-Virus-Scanned: amavisd-new at astralinux.ru
Received: from mail.astralinux.ru ([127.0.0.1])
by localhost (rbta-msk-vsrv-mail01.astralinux.ru [127.0.0.1])
(amavisd-new, port 10026)
with ESMTP id lEd70ON9ivQv; Thu, 27 Jul 2023 18:39:29 +0300 (MSK)
Received: from rbta-msk-lt-302690.astralinux.ru (unknown [10.177.233.132])
by mail.astralinux.ru (Postfix) with ESMTPSA id DFA7E186AA6C;
Thu, 27 Jul 2023 18:39:28 +0300 (MSK)
From: Alexandra Diupina <adiupina@astralinux.ru>
To: "James E.J. Bottomley" <James.Bottomley@HansenPartnership.com>
Cc: Alexandra Diupina <adiupina@astralinux.ru>,
"Martin K. Petersen" <martin.petersen@oracle.com>,
linux-scsi@vger.kernel.org, linux-kernel@vger.kernel.org,
lvc-project@linuxtesting.org,
Vladimir Telezhnikov <vtelezhnikov@astralinux.ru>
Subject: [PATCH] 53c700: add 'slot' check to NULL
Date: Thu, 27 Jul 2023 18:39:25 +0300
Message-Id: <20230727153925.15297-1-adiupina@astralinux.ru>
X-Mailer: git-send-email 2.30.2
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,
RCVD_IN_DNSWL_BLOCKED,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE
autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1772593599813163733
X-GMAIL-MSGID: 1772593599813163733
|
| Series |
53c700: add 'slot' check to NULL
|
|
Commit Message
Alexandra Diupina
July 27, 2023, 3:39 p.m. UTC
The 'slot' variable allows a NULL value.
It is necessary to add a check for a null
value to avoid dereferencing the null pointer.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Co-developed-by: Vladimir Telezhnikov <vtelezhnikov@astralinux.ru>
Signed-off-by: Vladimir Telezhnikov <vtelezhnikov@astralinux.ru>
Signed-off-by: Alexandra Diupina <adiupina@astralinux.ru>
---
drivers/scsi/53c700.c | 2 ++
1 file changed, 2 insertions(+)
Comments
On Thu, 2023-07-27 at 18:39 +0300, Alexandra Diupina wrote: > The 'slot' variable allows a NULL value. > It is necessary to add a check for a null > value to avoid dereferencing the null pointer. > > Found by Linux Verification Center (linuxtesting.org) with SVACE. > > Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") > Co-developed-by: Vladimir Telezhnikov <vtelezhnikov@astralinux.ru> > Signed-off-by: Vladimir Telezhnikov <vtelezhnikov@astralinux.ru> > Signed-off-by: Alexandra Diupina <adiupina@astralinux.ru> > --- > drivers/scsi/53c700.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/drivers/scsi/53c700.c b/drivers/scsi/53c700.c > index e1e4f9d10887..8e5468d1733d 100644 > --- a/drivers/scsi/53c700.c > +++ b/drivers/scsi/53c700.c > @@ -1598,6 +1598,8 @@ NCR_700_intr(int irq, void *dev_id) > printk("scsi%d (%d:%d) PHASE MISMATCH > IN SEND MESSAGE %d remain, return %p[%04x], phase %s\n", host- > >host_no, pun, lun, count, (void *)temp, temp - hostdata->pScript, > sbcl_to_string(NCR_700_readb(host, SBCL_REG))); > #endif > resume_offset = hostdata->pScript + > Ent_SendMessagePhaseMismatch; > + } else if (!slot) { > + printk(KERN_ERR "53c700: SCSI DONE > HAS NULL SCp\n"); > } else if(dsp >= to32bit(&slot->pSG[0].ins) > && I don't believe anyone has ever hit this, but if slot were null, it would have to drop through to the else clause to get a bus reset to kick the device. If we do what you propose above, the driver would hang instead of crashing, which isn't a better outcome. Something like this. James --- diff --git a/drivers/scsi/53c700.c b/drivers/scsi/53c700.c index e1e4f9d10887..5296a13404cf 100644 --- a/drivers/scsi/53c700.c +++ b/drivers/scsi/53c700.c @@ -1598,7 +1598,7 @@ NCR_700_intr(int irq, void *dev_id) printk("scsi%d (%d:%d) PHASE MISMATCH IN SEND MESSAGE %d remain, return %p[%04x], phase %s\n", host->host_no, pun, lun, count, (void *)temp, temp - hostdata->pScript, sbcl_to_string(NCR_700_readb(host, SBCL_REG))); #endif resume_offset = hostdata->pScript + Ent_SendMessagePhaseMismatch; - } else if(dsp >= to32bit(&slot->pSG[0].ins) && + } else if(slot && dsp >= to32bit(&slot->pSG[0].ins) && dsp <= to32bit(&slot->pSG[NCR_700_SG_SEGMENTS].ins)) { int data_transfer = NCR_700_readl(host, DBC_REG) & 0xffffff; int SGcount = (dsp - to32bit(&slot->pSG[0].ins))/sizeof(struct NCR_700_SG_List);
diff --git a/drivers/scsi/53c700.c b/drivers/scsi/53c700.c index e1e4f9d10887..8e5468d1733d 100644 --- a/drivers/scsi/53c700.c +++ b/drivers/scsi/53c700.c @@ -1598,6 +1598,8 @@ NCR_700_intr(int irq, void *dev_id) printk("scsi%d (%d:%d) PHASE MISMATCH IN SEND MESSAGE %d remain, return %p[%04x], phase %s\n", host->host_no, pun, lun, count, (void *)temp, temp - hostdata->pScript, sbcl_to_string(NCR_700_readb(host, SBCL_REG))); #endif resume_offset = hostdata->pScript + Ent_SendMessagePhaseMismatch; + } else if (!slot) { + printk(KERN_ERR "53c700: SCSI DONE HAS NULL SCp\n"); } else if(dsp >= to32bit(&slot->pSG[0].ins) && dsp <= to32bit(&slot->pSG[NCR_700_SG_SEGMENTS].ins)) { int data_transfer = NCR_700_readl(host, DBC_REG) & 0xffffff;