In function fc_eh_timed_out , which is defined in linux/drivers/scsi/scsi_transport_fc.c 2083-2086, struct fc_rport *rport = starget_to_rport(scsi_target(scmd->device)); if (rport->port_state == FC_PORTSTATE_BLOCKED) return BLK_EH_RESET_TIMER; starget_to_rport is a macro defined in linux/include/scsi/scsi_transport_fc.h, #define starget_to_rport(s) \ scsi_is_fc_rport(s->dev.parent) ? dev_to_rport(s->dev.parent) : NULL Since starget_to_rport may return a NULL value, the variable rport may be assigned NULL. Thus there is a potential Null Pointer Deref error in if (rport->port_state == FC_PORTSTATE_BLOCKED). There should be a NULL value check for rport .
I think this is by-design. If a target can not find its parents, it indicates there is problem during enumeration. Panic is proper in this situation.
(In reply to Matt Wang from comment #1) > I think this is by-design. If a target can not find its parents, it > indicates there is problem during enumeration. Panic is proper in this > situation. There are other places in the code (fc_target_setup in the same file, for example) where the return value from starget_to_rport is checked to avoid NPD error.Since most usages for the macro check its return value, we think it is necessary to do the same in function fc_eh_timed_out.