On 4/1/24 15:10, Aleksandr Aprelkov wrote:
> If ahd_lookup_scb() returns NULL and ahd_sent_msg() checks are false,
> then NULL pointer dereference happens
>
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
>
> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> Signed-off-by: Aleksandr Aprelkov <aaprelkov@xxxxxxxxxxxx>
> ---
> drivers/scsi/aic7xxx/aic79xx_core.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/scsi/aic7xxx/aic79xx_core.c b/drivers/scsi/aic7xxx/aic79xx_core.c
> index 3e3100dbfda3..9e0fafa12e87 100644
> --- a/drivers/scsi/aic7xxx/aic79xx_core.c
> +++ b/drivers/scsi/aic7xxx/aic79xx_core.c
> @@ -5577,7 +5577,7 @@ ahd_handle_msg_reject(struct ahd_softc *ahd, struct ahd_devinfo *devinfo)
> "Using asynchronous transfers\n",
> ahd_name(ahd), devinfo->channel,
> devinfo->target, devinfo->lun);
> - } else if ((scb->hscb->control & SIMPLE_QUEUE_TAG) != 0) {
> + } else if (scb && (scb->hscb->control & SIMPLE_QUEUE_TAG) != 0) {
"!= 0" is not needed.
> int tag_type;
> int mask;
>
--
Damien Le Moal
Western Digital Research
