On Mon, 2019-11-11 at 15:03 -0800, James Smart wrote:
> Coverity reported the following:
>
> *** CID 1487391: Null pointer dereferences (FORWARD_NULL)
> /drivers/scsi/lpfc/lpfc_scsi.c: 614 in lpfc_get_scsi_buf_s3()
> 608 spin_unlock(&phba->scsi_buf_list_put_lock);
> 609 }
> 610 spin_unlock_irqrestore(&phba->scsi_buf_list_get_lock, iflag);
> 611
> 612 if (lpfc_ndlp_check_qdepth(phba, ndlp)) {
> 613 atomic_inc(&ndlp->cmd_pending);
> vvv CID 1487391: Null pointer dereferences (FORWARD_NULL)
> vvv Dereferencing null pointer "lpfc_cmd".
> 614 lpfc_cmd->flags |= LPFC_SBUF_BUMP_QDEPTH;
> 615 }
> 616 return lpfc_cmd;
> 617 }
> 618 /**
> 619 * lpfc_get_scsi_buf_s4 - Get a scsi buffer from io_buf_list of the HBA
>
> Fix by checking lpfc_cmd to be non-NULL as part of line 612
>
> Reported-by: coverity-bot <keescook+coverity-bot@xxxxxxxxxxxx>
> Addresses-Coverity-ID: 1487391 ("Null pointer dereferences")
> Fixes: 2a5b7d626ed2 ("scsi: lpfc: Limit tracking of tgt queue depth in fast path")
>
> Signed-off-by: Dick Kennedy <dick.kennedy@xxxxxxxxxxxx>
> Signed-off-by: James Smart <jsmart2021@xxxxxxxxx>
> CC: "Martin K. Petersen" <martin.petersen@xxxxxxxxxx>
> CC: "Gustavo A. R. Silva" <gustavo@xxxxxxxxxxxxxx>
> CC: linux-next@xxxxxxxxxxxxxxx
> ---
> drivers/scsi/lpfc/lpfc_scsi.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/scsi/lpfc/lpfc_scsi.c b/drivers/scsi/lpfc/lpfc_scsi.c
> index 959ef471d758..ba26df90a36a 100644
> --- a/drivers/scsi/lpfc/lpfc_scsi.c
> +++ b/drivers/scsi/lpfc/lpfc_scsi.c
> @@ -611,7 +611,7 @@ lpfc_get_scsi_buf_s3(struct lpfc_hba *phba, struct lpfc_nodelist *ndlp,
> }
> spin_unlock_irqrestore(&phba->scsi_buf_list_get_lock, iflag);
>
> - if (lpfc_ndlp_check_qdepth(phba, ndlp)) {
> + if (lpfc_ndlp_check_qdepth(phba, ndlp) && lpfc_cmd) {
> atomic_inc(&ndlp->cmd_pending);
> lpfc_cmd->flags |= LPFC_SBUF_BUMP_QDEPTH;
> }
Reviewed-by: Ewan D. Milne <emilne@xxxxxxxxxx>
