If ahd_lookup_scb() returns NULL and ahd_sent_msg() checks are false,
then NULL pointer dereference happens
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Aleksandr Aprelkov <aaprelkov@xxxxxxxxxxxx>
---
drivers/scsi/aic7xxx/aic79xx_core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/scsi/aic7xxx/aic79xx_core.c b/drivers/scsi/aic7xxx/aic79xx_core.c
index 3e3100dbfda3..9e0fafa12e87 100644
--- a/drivers/scsi/aic7xxx/aic79xx_core.c
+++ b/drivers/scsi/aic7xxx/aic79xx_core.c
@@ -5577,7 +5577,7 @@ ahd_handle_msg_reject(struct ahd_softc *ahd, struct ahd_devinfo *devinfo)
"Using asynchronous transfers\n",
ahd_name(ahd), devinfo->channel,
devinfo->target, devinfo->lun);
- } else if ((scb->hscb->control & SIMPLE_QUEUE_TAG) != 0) {
+ } else if (scb && (scb->hscb->control & SIMPLE_QUEUE_TAG) != 0) {
int tag_type;
int mask;
--
2.34.1
