2016-03-09 15:58 GMT+02:00 Nicholas Krause <xerofoify@xxxxxxxxx>:
> This adds properly checking after the call to mvs_find_dev_mvi
> due to this function being able to return a NULL pointer and if
> this does arise we will deference it in mvs_alloc_dev due to
> this function never checking if a NULL pointer is given as
> it's input argument.
>
> Signed-off-by: Nicholas Krause <xerofoify@xxxxxxxxx>
> ---
> drivers/scsi/mvsas/mv_sas.c | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/drivers/scsi/mvsas/mv_sas.c b/drivers/scsi/mvsas/mv_sas.c
> index 83cd3ea..7afb248 100644
> --- a/drivers/scsi/mvsas/mv_sas.c
> +++ b/drivers/scsi/mvsas/mv_sas.c
> @@ -1191,6 +1191,10 @@ int mvs_dev_found_notify(struct domain_device *dev, int lock)
> struct mvs_device *mvi_device;
>
> mvi = mvs_find_dev_mvi(dev);
> + if (!mvi) {
> + res = -1;
> + goto found_out;
> + }
>
> if (lock)
> spin_lock_irqsave(&mvi->lock, flags);
> --
> 2.5.0
>
It doesn't look right,
if mvi will be NULL and lock will be set then at
found_out:
if (lock)
spin_unlock_irqrestore(&mvi->lock, flags);
there will be mvi dereference, besides spin_lock_irqsave wasn't even called.
And without this patch dereference would happen on mvi->lock which is
before use in mvs_alloc_dev
About whether mvs_find_dev_mvi can return NULL it looks like it's possible,
but I'm not sure if it practically happens. I guess it did hence patch.
--
To unsubscribe from this list: send the line "unsubscribe linux-scsi" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
