Bug 200317

Summary: Null pointer dereference error in linux/drivers/scsi/scsi_transport_fc.c
Product: SCSI Drivers Reporter: Yuexing Wang (wangyxlandq)
Component: OtherAssignee: scsi_drivers-other
Status: NEW ---    
Severity: normal CC: witallwang
Priority: P1    
Hardware: All   
OS: Linux   
Kernel Version: 4.17.3 Subsystem:
Regression: No Bisected commit-id:

Description Yuexing Wang 2018-06-28 02:53:24 UTC 
In function fc_eh_timed_out , which is defined in linux/drivers/scsi/scsi_transport_fc.c

2083-2086,
	struct fc_rport *rport = starget_to_rport(scsi_target(scmd->device));

	if (rport->port_state == FC_PORTSTATE_BLOCKED)
		return BLK_EH_RESET_TIMER;

starget_to_rport is a macro defined in linux/include/scsi/scsi_transport_fc.h,

#define starget_to_rport(s)			\
	scsi_is_fc_rport(s->dev.parent) ? dev_to_rport(s->dev.parent) : NULL

Since starget_to_rport may return a NULL value, the variable rport may be assigned NULL. Thus there is a potential Null Pointer Deref error in if (rport->port_state == FC_PORTSTATE_BLOCKED). There should be a NULL value check for rport .
Comment 1 Matt Wang 2018-07-09 02:52:50 UTC 
I think this is by-design. If a target can not find its parents, it indicates there is problem during enumeration. Panic is proper in this situation.
Comment 2 Yuexing Wang 2018-07-09 03:11:52 UTC 
(In reply to Matt Wang from comment #1)
> I think this is by-design. If a target can not find its parents, it
> indicates there is problem during enumeration. Panic is proper in this
> situation.

There are other places in the code (fc_target_setup in the same file, for example) where the return value from starget_to_rport is checked to avoid NPD error.Since most usages for the macro check its return value, we think it is necessary to do the same in function fc_eh_timed_out.