An untrusted device may return a NULL context pointer in the request header. hptiop_iop_request_callback_itl() dereferences that pointer unconditionally to write result fields and to invoke arg->done(), which can cause a NULL pointer dereference.
Add a NULL check for the reconstructed context pointer. If it is NULL, acknowledge the request by writing the tag to the outbound queue and return early.
Fixes: ede1e6f8b432 ("[SCSI] hptiop: HighPoint RocketRAID 3xxx controller driver") Cc: stable@vger.kernel.org Signed-off-by: Guangshuo Li lgs201920130244@gmail.com --- drivers/scsi/hptiop.c | 5 +++++ 1 file changed, 5 insertions(+)
diff --git a/drivers/scsi/hptiop.c b/drivers/scsi/hptiop.c index 21f1d9871a33..2b29cd83ce5e 100644 --- a/drivers/scsi/hptiop.c +++ b/drivers/scsi/hptiop.c @@ -812,6 +812,11 @@ static void hptiop_iop_request_callback_itl(struct hptiop_hba *hba, u32 tag) (readl(&req->context) | ((u64)readl(&req->context_hi32)<<32));
+ if (!arg) { + writel(tag, &hba->u.itl.iop->outbound_queue); + return; + } + if (readl(&req->result) == IOP_RESULT_SUCCESS) { arg->result = HPT_IOCTL_RESULT_OK;