* [PATCH 1/6] lpfc: fix: Coverity: lpfc_get_scsi_buf_s3(): Null pointer dereferences
[not found] <20191111230401.12958-1-jsmart2021@gmail.com>
@ 2019-11-11 23:03 ` James Smart
2019-11-12 18:30 ` Ewan D. Milne
2019-11-11 23:03 ` [PATCH 2/6] lpfc: fix: Coverity: lpfc_cmpl_els_rsp(): " James Smart
1 sibling, 1 reply; 4+ messages in thread
From: James Smart @ 2019-11-11 23:03 UTC (permalink / raw)
To: linux-scsi
Cc: James Smart, Dick Kennedy, Martin K. Petersen,
Gustavo A. R. Silva, linux-next
Coverity reported the following:
*** CID 1487391: Null pointer dereferences (FORWARD_NULL)
/drivers/scsi/lpfc/lpfc_scsi.c: 614 in lpfc_get_scsi_buf_s3()
608 spin_unlock(&phba->scsi_buf_list_put_lock);
609 }
610 spin_unlock_irqrestore(&phba->scsi_buf_list_get_lock, iflag);
611
612 if (lpfc_ndlp_check_qdepth(phba, ndlp)) {
613 atomic_inc(&ndlp->cmd_pending);
vvv CID 1487391: Null pointer dereferences (FORWARD_NULL)
vvv Dereferencing null pointer "lpfc_cmd".
614 lpfc_cmd->flags |= LPFC_SBUF_BUMP_QDEPTH;
615 }
616 return lpfc_cmd;
617 }
618 /**
619 * lpfc_get_scsi_buf_s4 - Get a scsi buffer from io_buf_list of the HBA
Fix by checking lpfc_cmd to be non-NULL as part of line 612
Reported-by: coverity-bot <keescook+coverity-bot@chromium.org>
Addresses-Coverity-ID: 1487391 ("Null pointer dereferences")
Fixes: 2a5b7d626ed2 ("scsi: lpfc: Limit tracking of tgt queue depth in fast path")
Signed-off-by: Dick Kennedy <dick.kennedy@broadcom.com>
Signed-off-by: James Smart <jsmart2021@gmail.com>
CC: "Martin K. Petersen" <martin.petersen@oracle.com>
CC: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
CC: linux-next@vger.kernel.org
---
drivers/scsi/lpfc/lpfc_scsi.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/scsi/lpfc/lpfc_scsi.c b/drivers/scsi/lpfc/lpfc_scsi.c
index 959ef471d758..ba26df90a36a 100644
--- a/drivers/scsi/lpfc/lpfc_scsi.c
+++ b/drivers/scsi/lpfc/lpfc_scsi.c
@@ -611,7 +611,7 @@ lpfc_get_scsi_buf_s3(struct lpfc_hba *phba, struct lpfc_nodelist *ndlp,
}
spin_unlock_irqrestore(&phba->scsi_buf_list_get_lock, iflag);
- if (lpfc_ndlp_check_qdepth(phba, ndlp)) {
+ if (lpfc_ndlp_check_qdepth(phba, ndlp) && lpfc_cmd) {
atomic_inc(&ndlp->cmd_pending);
lpfc_cmd->flags |= LPFC_SBUF_BUMP_QDEPTH;
}
--
2.13.7
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH 2/6] lpfc: fix: Coverity: lpfc_cmpl_els_rsp(): Null pointer dereferences
[not found] <20191111230401.12958-1-jsmart2021@gmail.com>
2019-11-11 23:03 ` [PATCH 1/6] lpfc: fix: Coverity: lpfc_get_scsi_buf_s3(): Null pointer dereferences James Smart
@ 2019-11-11 23:03 ` James Smart
2019-11-12 18:30 ` Ewan D. Milne
1 sibling, 1 reply; 4+ messages in thread
From: James Smart @ 2019-11-11 23:03 UTC (permalink / raw)
To: linux-scsi
Cc: James Smart, Dick Kennedy, James Bottomley, Gustavo A. R. Silva,
linux-next
Coverity reported the following:
*** CID 101747: Null pointer dereferences (FORWARD_NULL)
/drivers/scsi/lpfc/lpfc_els.c: 4439 in lpfc_cmpl_els_rsp()
4433 kfree(mp);
4434 }
4435 mempool_free(mbox, phba->mbox_mem_pool);
4436 }
4437 out:
4438 if (ndlp && NLP_CHK_NODE_ACT(ndlp)) {
vvv CID 101747: Null pointer dereferences (FORWARD_NULL)
vvv Dereferencing null pointer "shost".
4439 spin_lock_irq(shost->host_lock);
4440 ndlp->nlp_flag &= ~(NLP_ACC_REGLOGIN | NLP_RM_DFLT_RPI);
4441 spin_unlock_irq(shost->host_lock);
4442
4443 /* If the node is not being used by another discovery thread,
4444 * and we are sending a reject, we are done with it.
Fix by adding a check for non-null shost in line 4438.
The scenario when shost is set to null is when ndlp is null.
As such, the ndlp check present was sufficient. But better safe
than sorry so add the shost check.
Reported-by: coverity-bot <keescook+coverity-bot@chromium.org>
Addresses-Coverity-ID: 101747 ("Null pointer dereferences")
Fixes: 2e0fef85e098 ("[SCSI] lpfc: NPIV: split ports")
Signed-off-by: Dick Kennedy <dick.kennedy@broadcom.com>
Signed-off-by: James Smart <jsmart2021@gmail.com>
CC: James Bottomley <James.Bottomley@SteelEye.com>
CC: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
CC: linux-next@vger.kernel.org
---
drivers/scsi/lpfc/lpfc_els.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/scsi/lpfc/lpfc_els.c b/drivers/scsi/lpfc/lpfc_els.c
index 9a570c15b2a1..42a2bf38eaea 100644
--- a/drivers/scsi/lpfc/lpfc_els.c
+++ b/drivers/scsi/lpfc/lpfc_els.c
@@ -4445,7 +4445,7 @@ lpfc_cmpl_els_rsp(struct lpfc_hba *phba, struct lpfc_iocbq *cmdiocb,
mempool_free(mbox, phba->mbox_mem_pool);
}
out:
- if (ndlp && NLP_CHK_NODE_ACT(ndlp)) {
+ if (ndlp && NLP_CHK_NODE_ACT(ndlp) && shost) {
spin_lock_irq(shost->host_lock);
ndlp->nlp_flag &= ~(NLP_ACC_REGLOGIN | NLP_RM_DFLT_RPI);
spin_unlock_irq(shost->host_lock);
--
2.13.7
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH 1/6] lpfc: fix: Coverity: lpfc_get_scsi_buf_s3(): Null pointer dereferences
2019-11-11 23:03 ` [PATCH 1/6] lpfc: fix: Coverity: lpfc_get_scsi_buf_s3(): Null pointer dereferences James Smart
@ 2019-11-12 18:30 ` Ewan D. Milne
0 siblings, 0 replies; 4+ messages in thread
From: Ewan D. Milne @ 2019-11-12 18:30 UTC (permalink / raw)
To: James Smart, linux-scsi
Cc: Dick Kennedy, Martin K. Petersen, Gustavo A. R. Silva, linux-next
On Mon, 2019-11-11 at 15:03 -0800, James Smart wrote:
> Coverity reported the following:
>
> *** CID 1487391: Null pointer dereferences (FORWARD_NULL)
> /drivers/scsi/lpfc/lpfc_scsi.c: 614 in lpfc_get_scsi_buf_s3()
> 608 spin_unlock(&phba->scsi_buf_list_put_lock);
> 609 }
> 610 spin_unlock_irqrestore(&phba->scsi_buf_list_get_lock, iflag);
> 611
> 612 if (lpfc_ndlp_check_qdepth(phba, ndlp)) {
> 613 atomic_inc(&ndlp->cmd_pending);
> vvv CID 1487391: Null pointer dereferences (FORWARD_NULL)
> vvv Dereferencing null pointer "lpfc_cmd".
> 614 lpfc_cmd->flags |= LPFC_SBUF_BUMP_QDEPTH;
> 615 }
> 616 return lpfc_cmd;
> 617 }
> 618 /**
> 619 * lpfc_get_scsi_buf_s4 - Get a scsi buffer from io_buf_list of the HBA
>
> Fix by checking lpfc_cmd to be non-NULL as part of line 612
>
> Reported-by: coverity-bot <keescook+coverity-bot@chromium.org>
> Addresses-Coverity-ID: 1487391 ("Null pointer dereferences")
> Fixes: 2a5b7d626ed2 ("scsi: lpfc: Limit tracking of tgt queue depth in fast path")
>
> Signed-off-by: Dick Kennedy <dick.kennedy@broadcom.com>
> Signed-off-by: James Smart <jsmart2021@gmail.com>
> CC: "Martin K. Petersen" <martin.petersen@oracle.com>
> CC: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
> CC: linux-next@vger.kernel.org
> ---
> drivers/scsi/lpfc/lpfc_scsi.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/scsi/lpfc/lpfc_scsi.c b/drivers/scsi/lpfc/lpfc_scsi.c
> index 959ef471d758..ba26df90a36a 100644
> --- a/drivers/scsi/lpfc/lpfc_scsi.c
> +++ b/drivers/scsi/lpfc/lpfc_scsi.c
> @@ -611,7 +611,7 @@ lpfc_get_scsi_buf_s3(struct lpfc_hba *phba, struct lpfc_nodelist *ndlp,
> }
> spin_unlock_irqrestore(&phba->scsi_buf_list_get_lock, iflag);
>
> - if (lpfc_ndlp_check_qdepth(phba, ndlp)) {
> + if (lpfc_ndlp_check_qdepth(phba, ndlp) && lpfc_cmd) {
> atomic_inc(&ndlp->cmd_pending);
> lpfc_cmd->flags |= LPFC_SBUF_BUMP_QDEPTH;
> }
Reviewed-by: Ewan D. Milne <emilne@redhat.com>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH 2/6] lpfc: fix: Coverity: lpfc_cmpl_els_rsp(): Null pointer dereferences
2019-11-11 23:03 ` [PATCH 2/6] lpfc: fix: Coverity: lpfc_cmpl_els_rsp(): " James Smart
@ 2019-11-12 18:30 ` Ewan D. Milne
0 siblings, 0 replies; 4+ messages in thread
From: Ewan D. Milne @ 2019-11-12 18:30 UTC (permalink / raw)
To: James Smart, linux-scsi
Cc: Dick Kennedy, James Bottomley, Gustavo A. R. Silva, linux-next
On Mon, 2019-11-11 at 15:03 -0800, James Smart wrote:
> Coverity reported the following:
>
> *** CID 101747: Null pointer dereferences (FORWARD_NULL)
> /drivers/scsi/lpfc/lpfc_els.c: 4439 in lpfc_cmpl_els_rsp()
> 4433 kfree(mp);
> 4434 }
> 4435 mempool_free(mbox, phba->mbox_mem_pool);
> 4436 }
> 4437 out:
> 4438 if (ndlp && NLP_CHK_NODE_ACT(ndlp)) {
> vvv CID 101747: Null pointer dereferences (FORWARD_NULL)
> vvv Dereferencing null pointer "shost".
> 4439 spin_lock_irq(shost->host_lock);
> 4440 ndlp->nlp_flag &= ~(NLP_ACC_REGLOGIN | NLP_RM_DFLT_RPI);
> 4441 spin_unlock_irq(shost->host_lock);
> 4442
> 4443 /* If the node is not being used by another discovery thread,
> 4444 * and we are sending a reject, we are done with it.
>
> Fix by adding a check for non-null shost in line 4438.
> The scenario when shost is set to null is when ndlp is null.
> As such, the ndlp check present was sufficient. But better safe
> than sorry so add the shost check.
>
> Reported-by: coverity-bot <keescook+coverity-bot@chromium.org>
> Addresses-Coverity-ID: 101747 ("Null pointer dereferences")
> Fixes: 2e0fef85e098 ("[SCSI] lpfc: NPIV: split ports")
>
> Signed-off-by: Dick Kennedy <dick.kennedy@broadcom.com>
> Signed-off-by: James Smart <jsmart2021@gmail.com>
> CC: James Bottomley <James.Bottomley@SteelEye.com>
> CC: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
> CC: linux-next@vger.kernel.org
> ---
> drivers/scsi/lpfc/lpfc_els.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/scsi/lpfc/lpfc_els.c b/drivers/scsi/lpfc/lpfc_els.c
> index 9a570c15b2a1..42a2bf38eaea 100644
> --- a/drivers/scsi/lpfc/lpfc_els.c
> +++ b/drivers/scsi/lpfc/lpfc_els.c
> @@ -4445,7 +4445,7 @@ lpfc_cmpl_els_rsp(struct lpfc_hba *phba, struct lpfc_iocbq *cmdiocb,
> mempool_free(mbox, phba->mbox_mem_pool);
> }
> out:
> - if (ndlp && NLP_CHK_NODE_ACT(ndlp)) {
> + if (ndlp && NLP_CHK_NODE_ACT(ndlp) && shost) {
> spin_lock_irq(shost->host_lock);
> ndlp->nlp_flag &= ~(NLP_ACC_REGLOGIN | NLP_RM_DFLT_RPI);
> spin_unlock_irq(shost->host_lock);
Reviewed-by: Ewan D. Milne <emilne@redhat.com>
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2019-11-12 18:30 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <20191111230401.12958-1-jsmart2021@gmail.com>
2019-11-11 23:03 ` [PATCH 1/6] lpfc: fix: Coverity: lpfc_get_scsi_buf_s3(): Null pointer dereferences James Smart
2019-11-12 18:30 ` Ewan D. Milne
2019-11-11 23:03 ` [PATCH 2/6] lpfc: fix: Coverity: lpfc_cmpl_els_rsp(): " James Smart
2019-11-12 18:30 ` Ewan D. Milne
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).