On Mon, 2016-05-09 at 15:18 +0530, Sumit Saxena wrote: > > > > -----Original Message----- > > From: Dan Carpenter [mailto:dan.carpenter@xxxxxxxxxx] > > Sent: Monday, May 09, 2016 1:36 PM > > To: Finn Thain > > Cc: Petros Koutoupis; kashyap.desai@xxxxxxxxxxxxx; > > sumit.saxena@xxxxxxxxxxxxx; uday.lingala@xxxxxxxxxxxxx; > > megaraidlinux.pdl@xxxxxxxxxxxxx; linux-scsi@xxxxxxxxxxxxxxx > > Subject: Re: [PATCH] megaraid: add scsi_cmnd NULL check before use > > > > Smatch doesn't quite catch it because we check "cmd_fusion->scmd" for > NULL > > > > then assign "scmd_local = cmd_fusion->scmd;" and dereference scmd_local > > unconditionally... > > > > It does catch part of the bug if you have cross function analysis: > > > > drivers/scsi/megaraid/megaraid_sas_fusion.c:2318 complete_cmd_fusion() > > error: we previously assumed 'cmd_fusion->scmd' could be null (see > line 2281) > > > > > > But that code was from 2010 so I never reported it to the original > author or the > > > > list. > "cmd_fusion->scmd" should not be NULL if scsi_io_req->Function is set to > MPI2_FUNCTION_SCSI_IO_REQUEST (OR) MEGASAS_MPI2_FUNCTION_LD_IO_REQUES > (inside these two cases only, cmd_fusion->scmd will be dereferenced). If > cmd_fusion->scmd is NULL for these "scsi_io_req->Function", that will a > BUG and > should not continue with other commands processing in that case. > Sumit, To clarify, a detection of cmd_fusion->scmd being NULL with scsi_io_req->Function set to MPI2_FUNCTION_SCSI_IO_REQUEST or MEGASAS_MPI2_FUNCTION_LD_IO_REQUEST should instead trigger a BUG() and not attempt to iterate to the next command in the list. Thank you. -- Petros -- To unsubscribe from this list: send the line "unsubscribe linux-scsi" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
