scsi: qedf: Add additional checks for io_req->sc_cmd validity
authorChad Dupuis <cdupuis@marvell.com>
Tue, 26 Mar 2019 07:38:46 +0000 (00:38 -0700)
committerMartin K. Petersen <martin.petersen@oracle.com>
Thu, 28 Mar 2019 01:54:52 +0000 (21:54 -0400)
 - Check the validity of various pointers before processing.

Signed-off-by: Chad Dupuis <cdupuis@marvell.com>
Signed-off-by: Saurav Kashyap <skashyap@marvell.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
drivers/scsi/qedf/qedf_io.c

index ab6705660e674a482502fb7a2669f04f36580efe..8d09cf3fe49b4150a7f272dd55319315865c7979 100644 (file)
@@ -1324,7 +1324,7 @@ void qedf_scsi_done(struct qedf_ctx *qedf, struct qedf_ioreq *io_req,
 
        if (!virt_addr_valid(sc_cmd)) {
                QEDF_ERR(&qedf->dbg_ctx, "sc_cmd=%p is not valid.", sc_cmd);
-               return;
+               goto bad_scsi_ptr;
        }
 
        if (!sc_cmd->SCp.ptr) {
@@ -1336,7 +1336,34 @@ void qedf_scsi_done(struct qedf_ctx *qedf, struct qedf_ioreq *io_req,
        if (!sc_cmd->device) {
                QEDF_ERR(&qedf->dbg_ctx, "Device for sc_cmd %p is NULL.\n",
                         sc_cmd);
-               return;
+               goto bad_scsi_ptr;
+       }
+
+       if (!virt_addr_valid(sc_cmd->device)) {
+               QEDF_ERR(&qedf->dbg_ctx,
+                        "Device pointer for sc_cmd %p is bad.\n", sc_cmd);
+               goto bad_scsi_ptr;
+       }
+
+       if (!sc_cmd->sense_buffer) {
+               QEDF_ERR(&qedf->dbg_ctx,
+                        "sc_cmd->sense_buffer for sc_cmd %p is NULL.\n",
+                        sc_cmd);
+               goto bad_scsi_ptr;
+       }
+
+       if (!virt_addr_valid(sc_cmd->sense_buffer)) {
+               QEDF_ERR(&qedf->dbg_ctx,
+                        "sc_cmd->sense_buffer for sc_cmd %p is bad.\n",
+                        sc_cmd);
+               goto bad_scsi_ptr;
+       }
+
+       if (!sc_cmd->scsi_done) {
+               QEDF_ERR(&qedf->dbg_ctx,
+                        "sc_cmd->scsi_done for sc_cmd %p is NULL.\n",
+                        sc_cmd);
+               goto bad_scsi_ptr;
        }
 
        qedf_unmap_sg_list(qedf, io_req);
@@ -1365,6 +1392,14 @@ void qedf_scsi_done(struct qedf_ctx *qedf, struct qedf_ioreq *io_req,
        sc_cmd->SCp.ptr = NULL;
        sc_cmd->scsi_done(sc_cmd);
        kref_put(&io_req->refcount, qedf_release_cmd);
+
+bad_scsi_ptr:
+       /*
+        * Clear the io_req->sc_cmd backpointer so we don't try to process
+        * this again
+        */
+       io_req->sc_cmd = NULL;
+       kref_put(&io_req->refcount, qedf_release_cmd);  /* ID: 001 */
 }
 
 /*