lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20210303073408.461-1-dinghao.liu@zju.edu.cn>
Date:   Wed,  3 Mar 2021 15:34:08 +0800
From:   Dinghao Liu <dinghao.liu@....edu.cn>
To:     dinghao.liu@....edu.cn, kjlu@....edu
Cc:     Jens Axboe <axboe@...nel.dk>, linux-ide@...r.kernel.org,
        linux-kernel@...r.kernel.org
Subject: [PATCH] [v2] sata_dwc_460ex: Fix missing check in sata_dwc_isr

The return value of ata_qc_from_tag() is checked in the whole
kernel except for two calls in sata_dwc_isr(), which may lead
to null-pointer-dereference. Add return value checks to avoid
such case.

Signed-off-by: Dinghao Liu <dinghao.liu@....edu.cn>
---

Changelog:

v2: - Refine commit message.
      Add return value check for another ata_qc_from_tag() call.
---
 drivers/ata/sata_dwc_460ex.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/drivers/ata/sata_dwc_460ex.c b/drivers/ata/sata_dwc_460ex.c
index 9dcef6ac643b..f0ef844428bb 100644
--- a/drivers/ata/sata_dwc_460ex.c
+++ b/drivers/ata/sata_dwc_460ex.c
@@ -543,6 +543,11 @@ static irqreturn_t sata_dwc_isr(int irq, void *dev_instance)
 		hsdev->sactive_issued |= qcmd_tag_to_mask(tag);
 
 		qc = ata_qc_from_tag(ap, tag);
+		if (unlikely(!qc)) {
+			dev_err(ap->dev, "failed to get qc");
+			handled = 1;
+			goto DONE;
+		}
 		/*
 		 * Start FP DMA for NCQ command.  At this point the tag is the
 		 * active tag.  It is the tag that matches the command about to
@@ -658,6 +663,11 @@ static irqreturn_t sata_dwc_isr(int irq, void *dev_instance)
 
 		tag_mask &= (~0x00000001);
 		qc = ata_qc_from_tag(ap, tag);
+		if (unlikely(!qc)) {
+			dev_err(ap->dev, "failed to get qc");
+			handled = 1;
+			goto DONE;
+		}
 
 		/* To be picked up by completion functions */
 		qc->ap->link.active_tag = tag;
-- 
2.17.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ