[PATCH] [v2] sata_dwc_460ex: Fix missing check in sata_dwc_isr

[PATCH] [v2] sata_dwc_460ex: Fix missing check in sata_dwc_isr

[Dinghao Liu]

The return value of ata_qc_from_tag() is checked in the whole
kernel except for two calls in sata_dwc_isr(), which may lead
to null-pointer-dereference. Add return value checks to avoid
such case.

Signed-off-by: Dinghao Liu <dinghao.liu@zju.edu.cn>
---

Changelog:

v2: - Refine commit message.
      Add return value check for another ata_qc_from_tag() call.
---
 drivers/ata/sata_dwc_460ex.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/drivers/ata/sata_dwc_460ex.c b/drivers/ata/sata_dwc_460ex.c
index 9dcef6ac643b..f0ef844428bb 100644
--- a/drivers/ata/sata_dwc_460ex.c
+++ b/drivers/ata/sata_dwc_460ex.c
@@ -543,6 +543,11 @@ static irqreturn_t sata_dwc_isr(int irq, void *dev_instance)
 		hsdev->sactive_issued |= qcmd_tag_to_mask(tag);
 
 		qc = ata_qc_from_tag(ap, tag);
+		if (unlikely(!qc)) {
+			dev_err(ap->dev, "failed to get qc");
+			handled = 1;
+			goto DONE;
+		}
 		/*
 		 * Start FP DMA for NCQ command.  At this point the tag is the
 		 * active tag.  It is the tag that matches the command about to
@@ -658,6 +663,11 @@ static irqreturn_t sata_dwc_isr(int irq, void *dev_instance)
 
 		tag_mask &= (~0x00000001);
 		qc = ata_qc_from_tag(ap, tag);
+		if (unlikely(!qc)) {
+			dev_err(ap->dev, "failed to get qc");
+			handled = 1;
+			goto DONE;
+		}
 
 		/* To be picked up by completion functions */
 		qc->ap->link.active_tag = tag;
-- 
2.17.1

Re: [PATCH] [v2] sata_dwc_460ex: Fix missing check in sata_dwc_isr

[Jens Axboe]

On 3/3/21 12:34 AM, Dinghao Liu wrote:
> The return value of ata_qc_from_tag() is checked in the whole
> kernel except for two calls in sata_dwc_isr(), which may lead
> to null-pointer-dereference. Add return value checks to avoid
> such case.

Applied, thanks.

-- 
Jens Axboe