| Message ID | 20220124172120.62828-1-zhou1615@umn.edu |
|---|---|
| State | New |
| Headers | show |
| Series | scsi: mpt3sas: FIx a NULL pointer dereference bug in mpt3sas_transport_port_add() | expand |
diff --git a/drivers/scsi/mpt3sas/mpt3sas_transport.c b/drivers/scsi/mpt3sas/mpt3sas_transport.c index 0681daee6c14..1caa929cf8bc 100644 --- a/drivers/scsi/mpt3sas/mpt3sas_transport.c +++ b/drivers/scsi/mpt3sas/mpt3sas_transport.c @@ -823,6 +823,11 @@ mpt3sas_transport_port_add(struct MPT3SAS_ADAPTER *ioc, u16 handle, hba_port->sas_address = mpt3sas_port->remote_identify.sas_address; } + if (!rphy) { + ioc_err(ioc, "failure at %s:%d/%s()!\n", + __FILE__, __LINE__, __func__); + goto out_fail; + } rphy->identify = mpt3sas_port->remote_identify;
In mpt3sas_transport_port_add(), sas_end_device_alloc() is assigned to rphy and there is a dereference of it. sas_end_device_alloc() could return NULL on failure of allocation, which could introduce a NULL pointer dereference bug. The same as sas_expander_alloc(). Fix this bug by adding a NULL check of rphy. This bug was found by a static analyzer. Builds with 'make allyesconfig' show no new warnings, and our static analyzer no longer warns about this code. Fixes: f92363d12359 ("mpt3sas: add new driver supporting 12GB SAS") Signed-off-by: Zhou Qingyang <zhou1615@umn.edu> --- The analysis employs differential checking to identify inconsistent security operations (e.g., checks or kfrees) between two code paths and confirms that the inconsistent operations are not recovered in the current function or the callers, so they constitute bugs. Note that, as a bug found by static analysis, it can be a false positive or hard to trigger. Multiple researchers have cross-reviewed the bug. drivers/scsi/mpt3sas/mpt3sas_transport.c | 5 +++++ 1 file changed, 5 insertions(+)