[PATCH] scsi: aic7xxx: aic79xx: Add missing check in ahd_handle_seqint

Dinghao Liu <dinghao.liu@xxxxxxxxxx> · Mon, 1 Mar 2021 17:30:29 +0800

ahd_lookup_scb() may return a null pointer and further lead to
null pointer dereference in case DATA_OVERRUN. Fix this by adding
a null check.

Signed-off-by: Dinghao Liu <dinghao.liu@xxxxxxxxxx>
---
 drivers/scsi/aic7xxx/aic79xx_core.c | 44 +++++++++++++++--------------
 1 file changed, 23 insertions(+), 21 deletions(-)

diff --git a/drivers/scsi/aic7xxx/aic79xx_core.c b/drivers/scsi/aic7xxx/aic79xx_core.c
index 3e3100dbfda3..f990f7f48f49 100644
--- a/drivers/scsi/aic7xxx/aic79xx_core.c
+++ b/drivers/scsi/aic7xxx/aic79xx_core.c
@@ -2199,30 +2199,32 @@ ahd_handle_seqint(struct ahd_softc *ahd, u_int intstat)
 
 		scbindex = ahd_get_scbptr(ahd);
 		scb = ahd_lookup_scb(ahd, scbindex);
+		if (scb != NULL) {
 #ifdef AHD_DEBUG
-		lastphase = ahd_inb(ahd, LASTPHASE);
-		if ((ahd_debug & AHD_SHOW_RECOVERY) != 0) {
-			ahd_print_path(ahd, scb);
-			printk("data overrun detected %s.  Tag == 0x%x.\n",
-			       ahd_lookup_phase_entry(lastphase)->phasemsg,
-			       SCB_GET_TAG(scb));
-			ahd_print_path(ahd, scb);
-			printk("%s seen Data Phase.  Length = %ld.  "
-			       "NumSGs = %d.\n",
-			       ahd_inb(ahd, SEQ_FLAGS) & DPHASE
-			       ? "Have" : "Haven't",
-			       ahd_get_transfer_length(scb), scb->sg_count);
-			ahd_dump_sglist(scb);
-		}
+			lastphase = ahd_inb(ahd, LASTPHASE);
+			if ((ahd_debug & AHD_SHOW_RECOVERY) != 0) {
+				ahd_print_path(ahd, scb);
+				printk("data overrun detected %s.  Tag == 0x%x.\n",
+					ahd_lookup_phase_entry(lastphase)->phasemsg,
+					SCB_GET_TAG(scb));
+				ahd_print_path(ahd, scb);
+				printk("%s seen Data Phase.  Length = %ld.  "
+					"NumSGs = %d.\n",
+					ahd_inb(ahd, SEQ_FLAGS) & DPHASE
+					? "Have" : "Haven't",
+					ahd_get_transfer_length(scb), scb->sg_count);
+				ahd_dump_sglist(scb);
+			}
 #endif
 
-		/*
-		 * Set this and it will take effect when the
-		 * target does a command complete.
-		 */
-		ahd_freeze_devq(ahd, scb);
-		ahd_set_transaction_status(scb, CAM_DATA_RUN_ERR);
-		ahd_freeze_scb(scb);
+			/*
+			* Set this and it will take effect when the
+			* target does a command complete.
+			*/
+			ahd_freeze_devq(ahd, scb);
+			ahd_set_transaction_status(scb, CAM_DATA_RUN_ERR);
+			ahd_freeze_scb(scb);
+		}
 		break;
 	}
 	case MKMSG_FAILED:
-- 
2.17.1







