Re: [PATCH] qla2xxx: Fix a NULL pointer dereference in an error path

"Ewan D. Milne" <emilne@xxxxxxxxxx> · Mon, 13 Jan 2020 10:29:46 -0500

On Sun, 2020-01-12 at 13:08 -0800, Bart Van Assche wrote:
> This patch fixes the following Coverity complaint:
> 
> FORWARD_NULL
> 
> qla_init.c: 5275 in qla2x00_configure_local_loop()
> 5269
> 5270     		if (fcport->scan_state == QLA_FCPORT_FOUND)
> 5271     			qla24xx_fcport_handle_login(vha, fcport);
> 5272     	}
> 5273
> 5274     cleanup_allocation:
> > > >     CID 353340:    (FORWARD_NULL)
> > > >     Passing null pointer "new_fcport" to "qla2x00_free_fcport", which dereferences it.
> 
> 5275     	qla2x00_free_fcport(new_fcport);
> 5276
> 5277     	if (rval != QLA_SUCCESS) {
> 5278     		ql_dbg(ql_dbg_disc, vha, 0x2098,
> 5279     		    "Configure local loop error exit: rval=%x.\n", rval);
> 5280     	}
> qla_init.c: 5275 in qla2x00_configure_local_loop()
> 5269
> 5270     		if (fcport->scan_state == QLA_FCPORT_FOUND)
> 5271     			qla24xx_fcport_handle_login(vha, fcport);
> 5272     	}
> 5273
> 5274     cleanup_allocation:
> > > >     CID 353340:    (FORWARD_NULL)
> > > >     Passing null pointer "new_fcport" to "qla2x00_free_fcport", which dereferences it.
> 
> 5275     	qla2x00_free_fcport(new_fcport);
> 5276
> 5277     	if (rval != QLA_SUCCESS) {
> 5278     		ql_dbg(ql_dbg_disc, vha, 0x2098,
> 5279     		    "Configure local loop error exit: rval=%x.\n", rval);
> 5280     	}
> 
> Cc: Himanshu Madhani <hmadhani@xxxxxxxxxxx>
> Cc: Quinn Tran <qutran@xxxxxxxxxxx>
> Cc: Martin Wilck <mwilck@xxxxxxxx>
> Cc: Daniel Wagner <dwagner@xxxxxxx>
> Cc: Roman Bolshakov <r.bolshakov@xxxxxxxxx>
> Fixes: 3dae220595ba ("scsi: qla2xxx: Use common routine to free fcport struct")
> Signed-off-by: Bart Van Assche <bvanassche@xxxxxxx>
> ---
>  drivers/scsi/qla2xxx/qla_init.c | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/drivers/scsi/qla2xxx/qla_init.c b/drivers/scsi/qla2xxx/qla_init.c
> index c4e087217484..6560908ed50e 100644
> --- a/drivers/scsi/qla2xxx/qla_init.c
> +++ b/drivers/scsi/qla2xxx/qla_init.c
> @@ -4895,6 +4895,8 @@ qla2x00_alloc_fcport(scsi_qla_host_t *vha, gfp_t flags)
>  void
>  qla2x00_free_fcport(fc_port_t *fcport)
>  {
> +	if (!fcport)
> +		return;
>  	if (fcport->ct_desc.ct_sns) {
>  		dma_free_coherent(&fcport->vha->hw->pdev->dev,
>  			sizeof(struct ct_sns_pkt), fcport->ct_desc.ct_sns,
> 

I would have fixed this by moving the label to be after the qla2x00_free_fcport()
call in qla2x00_configure_local_loop(), which Coverity complained about.  And
called it something different.  (The code could probably be simplified by only
making a call to qla2x00_alloc_fcport() in one place, something to think about...)

I also notice that there is duplicate code in qla2x00_alloc_fcport() that tests for:

        if (!fcport->ct_desc.ct_sns)

But, this should fix the Coverity issue.

Reviewed-by: Ewan D. Milne <emilne@xxxxxxxxxx>