diff mbox

scsi: lpfc: don't dereference dma_buf->iocbq before null check

Message ID 20170224140914.6011-1-colin.king@canonical.com (mailing list archive)
State Superseded, archived
Headers show

Commit Message

Colin King Feb. 24, 2017, 2:09 p.m. UTC 
From: Colin Ian King <colin.king@canonical.com>

dma_buf->iocbq is being dereferenced immediately before it is
being null checked, so we have a potential null pointer dereference
bug.  Fix this by only dereferencing it only once we have passed
a null check on the pointer.

Detected by CoverityScan, CID#1411652 ("Dereference before null check")

Signed-off-by: Colin Ian King <colin.king@canonical.com>
---
 drivers/scsi/lpfc/lpfc_mem.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

James Smart March 4, 2017, 5:42 p.m. UTC | #1 
Looks good. I included it in the lpfc patch set just posted.

-- james


On 2/24/2017 6:09 AM, Colin King wrote:
> From: Colin Ian King <colin.king@canonical.com>
>
> dma_buf->iocbq is being dereferenced immediately before it is
> being null checked, so we have a potential null pointer dereference
> bug.  Fix this by only dereferencing it only once we have passed
> a null check on the pointer.
>
> Detected by CoverityScan, CID#1411652 ("Dereference before null check")
>
> Signed-off-by: Colin Ian King <colin.king@canonical.com>
> ---
>   drivers/scsi/lpfc/lpfc_mem.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/scsi/lpfc/lpfc_mem.c b/drivers/scsi/lpfc/lpfc_mem.c
> index c61d8d6..5986c79 100644
> --- a/drivers/scsi/lpfc/lpfc_mem.c
> +++ b/drivers/scsi/lpfc/lpfc_mem.c
> @@ -646,7 +646,6 @@ lpfc_sli4_nvmet_alloc(struct lpfc_hba *phba)
>   	}
>   
>   	dma_buf->iocbq = lpfc_sli_get_iocbq(phba);
> -	dma_buf->iocbq->iocb_flag = LPFC_IO_NVMET;
>   	if (!dma_buf->iocbq) {
>   		kfree(dma_buf->context);
>   		pci_pool_free(phba->lpfc_drb_pool, dma_buf->dbuf.virt,
> @@ -658,6 +657,7 @@ lpfc_sli4_nvmet_alloc(struct lpfc_hba *phba)
>   				"2621 Ran out of nvmet iocb/WQEs\n");
>   		return NULL;
>   	}
> +	dma_buf->iocbq->iocb_flag = LPFC_IO_NVMET;
>   	nvmewqe = dma_buf->iocbq;
>   	wqe = (union lpfc_wqe128 *)&nvmewqe->wqe;
>   	/* Initialize WQE */
diff mbox

Patch

diff --git a/drivers/scsi/lpfc/lpfc_mem.c b/drivers/scsi/lpfc/lpfc_mem.c
index c61d8d6..5986c79 100644
--- a/drivers/scsi/lpfc/lpfc_mem.c
+++ b/drivers/scsi/lpfc/lpfc_mem.c
@@ -646,7 +646,6 @@  lpfc_sli4_nvmet_alloc(struct lpfc_hba *phba)
 	}
 
 	dma_buf->iocbq = lpfc_sli_get_iocbq(phba);
-	dma_buf->iocbq->iocb_flag = LPFC_IO_NVMET;
 	if (!dma_buf->iocbq) {
 		kfree(dma_buf->context);
 		pci_pool_free(phba->lpfc_drb_pool, dma_buf->dbuf.virt,
@@ -658,6 +657,7 @@  lpfc_sli4_nvmet_alloc(struct lpfc_hba *phba)
 				"2621 Ran out of nvmet iocb/WQEs\n");
 		return NULL;
 	}
+	dma_buf->iocbq->iocb_flag = LPFC_IO_NVMET;
 	nvmewqe = dma_buf->iocbq;
 	wqe = (union lpfc_wqe128 *)&nvmewqe->wqe;
 	/* Initialize WQE */