[PATCH] [PATCH] NULL check in ahc_handle_scsiint()

Alexander Sapozhnikov <alsp705@xxxxxxxxx> · Thu, 16 Feb 2023 14:20:34 +0300

From: Alexandr Sapozhnikov <alsp705@xxxxxxxxx>

After having been compared to NULL value at aic7xxx_core.c:1569, 
pointer 'scb' is passed as 2nd parameter in call to function 
'ahc_qinfifo_requeue_tail' at aic7xxx_core.c:1864, :1876, :1890, 
where it is dereferenced.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Signed-off-by: Alexandr Sapozhnikov <alsp705@xxxxxxxxx>
---
 drivers/scsi/aic7xxx/aic7xxx_core.c | 21 +++++++++++++--------
 1 file changed, 13 insertions(+), 8 deletions(-)

diff --git a/drivers/scsi/aic7xxx/aic7xxx_core.c b/drivers/scsi/aic7xxx/aic7xxx_core.c
index a396f04..6840729 100644
--- a/drivers/scsi/aic7xxx/aic7xxx_core.c
+++ b/drivers/scsi/aic7xxx/aic7xxx_core.c
@@ -1819,13 +1819,15 @@ ahc_handle_scsiint(struct ahc_softc *ahc, u_int intstat)
 			tag = SCB_LIST_NULL;
 			if (ahc_sent_msg(ahc, AHCMSG_1B, ABORT_TASK, TRUE)
 			 || ahc_sent_msg(ahc, AHCMSG_1B, ABORT_TASK_SET, TRUE)) {
-				if (ahc->msgout_buf[ahc->msgout_index - 1]
-				 == ABORT_TASK)
-					tag = scb->hscb->tag;
-				ahc_print_path(ahc, scb);
-				printk("SCB %d - Abort%s Completed.\n",
+				if (scb) {
+					if (ahc->msgout_buf[ahc->msgout_index - 1]
+					== ABORT_TASK)
+						tag = scb->hscb->tag;
+					ahc_print_path(ahc, scb);
+					printk("SCB %d - Abort%s Completed.\n",
 				       scb->hscb->tag, tag == SCB_LIST_NULL ?
 				       "" : " Tag");
+				}
 				ahc_abort_scbs(ahc, target, channel,
 					       saved_lun, tag,
 					       ROLE_INITIATOR,
@@ -1861,7 +1863,8 @@ ahc_handle_scsiint(struct ahc_softc *ahc, u_int intstat)
 				tinfo->curr.transport_version = 2;
 				tinfo->goal.transport_version = 2;
 				tinfo->goal.ppr_options = 0;
-				ahc_qinfifo_requeue_tail(ahc, scb);
+				if (scb)
+					ahc_qinfifo_requeue_tail(ahc, scb);
 				printerror = 0;
 			} else if (ahc_sent_msg(ahc, AHCMSG_EXT,
 						EXTENDED_WDTR, FALSE)) {
@@ -1873,7 +1876,8 @@ ahc_handle_scsiint(struct ahc_softc *ahc, u_int intstat)
 					      MSG_EXT_WDTR_BUS_8_BIT,
 					      AHC_TRANS_CUR|AHC_TRANS_GOAL,
 					      /*paused*/TRUE);
-				ahc_qinfifo_requeue_tail(ahc, scb);
+				if (scb)
+					ahc_qinfifo_requeue_tail(ahc, scb);
 				printerror = 0;
 			} else if (ahc_sent_msg(ahc, AHCMSG_EXT,
 						EXTENDED_SDTR, FALSE)) {
@@ -1887,7 +1891,8 @@ ahc_handle_scsiint(struct ahc_softc *ahc, u_int intstat)
 						/*ppr_options*/0,
 						AHC_TRANS_CUR|AHC_TRANS_GOAL,
 						/*paused*/TRUE);
-				ahc_qinfifo_requeue_tail(ahc, scb);
+				if (scb)
+					ahc_qinfifo_requeue_tail(ahc, scb);
 				printerror = 0;
 			}
 		}
-- 
2.5.3







