From patchwork Wed May 31 13:32:59 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Maximilian Heyne X-Patchwork-Id: 13262317 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 49633C7EE23 for ; Wed, 31 May 2023 13:34:12 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236414AbjEaNeK (ORCPT ); Wed, 31 May 2023 09:34:10 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51232 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236449AbjEaNdz (ORCPT ); Wed, 31 May 2023 09:33:55 -0400 Received: from smtp-fw-9102.amazon.com (smtp-fw-9102.amazon.com [207.171.184.29]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id F0A0FE72; Wed, 31 May 2023 06:33:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amazon.de; i=@amazon.de; q=dns/txt; s=amazon201209; t=1685540021; x=1717076021; h=from:to:cc:subject:date:message-id:mime-version: content-transfer-encoding; bh=WD5BzMcADxhlAngBVOOoK2oqXNiHBd2z06dC7AGlDIk=; b=gxbVgDc+5M1+IYlViyWbrbfFclIKs1hr5MFug6kg5YBSLhQvaeXtpRG1 NbORTu7Yjoqb89p8XYjEDdrpOTPj7RG69MRhxiuEdc4GYlpRpZllMm2nn SXplOzYOD/FP3omncXx+mLV2sZlMg+bo7H6y91StNBSF6modhXC6drrsA M=; X-IronPort-AV: E=Sophos;i="6.00,207,1681171200"; d="scan'208";a="342672529" Received: from pdx4-co-svc-p1-lb2-vlan2.amazon.com (HELO email-inbound-relay-pdx-2c-m6i4x-fad5e78e.us-west-2.amazon.com) ([10.25.36.210]) by smtp-border-fw-9102.sea19.amazon.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 31 May 2023 13:33:35 +0000 Received: from EX19D008EUA001.ant.amazon.com (pdx1-ws-svc-p6-lb9-vlan2.pdx.amazon.com [10.236.137.194]) by email-inbound-relay-pdx-2c-m6i4x-fad5e78e.us-west-2.amazon.com (Postfix) with ESMTPS id 85B95A07FD; Wed, 31 May 2023 13:33:33 +0000 (UTC) Received: from EX19MTAUWB001.ant.amazon.com (10.250.64.248) by EX19D008EUA001.ant.amazon.com (10.252.50.34) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.26; Wed, 31 May 2023 13:33:28 +0000 Received: from dev-dsk-mheyne-1b-c1362c4d.eu-west-1.amazon.com (10.15.57.183) by mail-relay.amazon.com (10.250.64.254) with Microsoft SMTP Server id 15.2.1118.26 via Frontend Transport; Wed, 31 May 2023 13:33:27 +0000 Received: by dev-dsk-mheyne-1b-c1362c4d.eu-west-1.amazon.com (Postfix, from userid 5466572) id 6F338AD4; Wed, 31 May 2023 13:33:27 +0000 (UTC) From: Maximilian Heyne CC: Maximilian Heyne , Kashyap Desai , Sumit Saxena , Shivasharan S , "James E.J. Bottomley" , "Martin K. Petersen" , James Bottomley , Adam Radford , Christoph Hellwig , , , Subject: [PATCH] scsi: megaraid: Fix uninitialized mbox in mega_cmd_done Date: Wed, 31 May 2023 13:32:59 +0000 Message-ID: <20230531133259.55619-1-mheyne@amazon.de> X-Mailer: git-send-email 2.39.2 MIME-Version: 1.0 To: unlisted-recipients:; (no To-header on input) Precedence: bulk List-ID: X-Mailing-List: linux-scsi@vger.kernel.org This is similar to commit 7a2ae008a53c ("scsi: megaraid: Fix mega_cmd_done() CMDID_INT_CMDS"). When cmdid == CMDID_INT_CMDS and status != 0 then mbox is still NULL but is dereferenced below. This bug was discovered and resolved using Coverity Static Analysis Security Testing (SAST) by Synopsys, Inc. Fixes: 0f2bb84d2a68 ("[SCSI] megaraid: simplify internal command handling") Signed-off-by: Maximilian Heyne --- Note: I have only compile tested this commit. Haven't tried reproducing it. drivers/scsi/megaraid.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/scsi/megaraid.c b/drivers/scsi/megaraid.c index e92f1a73cc9b..4dfe8865a18a 100644 --- a/drivers/scsi/megaraid.c +++ b/drivers/scsi/megaraid.c @@ -1442,6 +1442,7 @@ mega_cmd_done(adapter_t *adapter, u8 completed[], int nstatus, int status) if (cmdid == CMDID_INT_CMDS) { scb = &adapter->int_scb; cmd = scb->cmd; + mbox = (mbox_t *)scb->raw_mbox; list_del_init(&scb->list); scb->state = SCB_FREE;