SCp is 3rd argument of process_script_interrupt()
(calls in drivers/scsi/53c700.c:1346 where SCp != NULL and
drivers/scsi/53c700.c:1672 where this condition is not guaranteed).
Before call process_script_interrupt() in drivers/scsi/53c700.c:1672
there is SCp = hostdata->cmd, wherein (type casts omitted)
hostdata = host->hostdata[0], host = dev_id,
dev_id - 2nd argument of NCR_700_intr().
NCR_700_intr() is used when calling request_irq() -> request_threaded_irq()
as the 2nd argument.
Last argument of call request_irq(..., NCR_700_intr, ... host) is host.
host = NCR_700_detect(), host->hostdata[0] = hostdata, hostdata->cmd = NULL.
So, there is possible NULL pointer dereference,
so add NULL check for SCp in process_script_interrupt() to avoid it.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Alexandra Diupina <adiupina@xxxxxxxxxxxxx>
---
drivers/scsi/53c700.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/scsi/53c700.c b/drivers/scsi/53c700.c
index 857be0f3ae5b..54bcc5727fbb 100644
--- a/drivers/scsi/53c700.c
+++ b/drivers/scsi/53c700.c
@@ -1067,7 +1067,7 @@ process_script_interrupt(__u32 dsps, __u32 dsp, struct scsi_cmnd *SCp,
//}
NCR_700_scsi_done(hostdata, SCp, hostdata->status[0]);
}
- } else if((dsps & 0xfffff0f0) == A_UNEXPECTED_PHASE) {
+ } else if ((dsps & 0xfffff0f0) == A_UNEXPECTED_PHASE && SCp) {
__u8 i = (dsps & 0xf00) >> 8;
scmd_printk(KERN_ERR, SCp, "UNEXPECTED PHASE %s (%s)\n",
--
2.30.2
