Module Name:    src
Committed By:   christos
Date:           Thu Apr 17 16:08:42 UTC 2014

Modified Files:
        src/sys/dev/ic: mpt_netbsd.c

Log Message:
CID/1203197: NULL deref


To generate a diff of this commit:
cvs rdiff -u -r1.23 -r1.24 src/sys/dev/ic/mpt_netbsd.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/dev/ic/mpt_netbsd.c
diff -u src/sys/dev/ic/mpt_netbsd.c:1.23 src/sys/dev/ic/mpt_netbsd.c:1.24
--- src/sys/dev/ic/mpt_netbsd.c:1.23	Thu Apr 17 11:55:53 2014
+++ src/sys/dev/ic/mpt_netbsd.c	Thu Apr 17 12:08:42 2014
@@ -1,4 +1,4 @@
-/*	$NetBSD: mpt_netbsd.c,v 1.23 2014/04/17 15:55:53 christos Exp $	*/
+/*	$NetBSD: mpt_netbsd.c,v 1.24 2014/04/17 16:08:42 christos Exp $	*/
 
 /*
  * Copyright (c) 2003 Wasabi Systems, Inc.
@@ -77,7 +77,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: mpt_netbsd.c,v 1.23 2014/04/17 15:55:53 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: mpt_netbsd.c,v 1.24 2014/04/17 16:08:42 christos Exp $");
 
 #include <dev/ic/mpt.h>			/* pulls in all headers */
 #include <sys/scsiio.h>
@@ -516,19 +516,22 @@ mpt_done(mpt_softc_t *mpt, uint32_t repl
 
 		/* XXX BUS_DMASYNC_POSTREAD XXX */
 		mpt_reply = MPT_REPLY_PTOV(mpt, reply);
-		if (mpt->verbose > 1) {
-			uint32_t *pReply = (uint32_t *) mpt_reply;
+		if (mpt_reply != NULL) {
+			if (mpt->verbose > 1) {
+				uint32_t *pReply = (uint32_t *) mpt_reply;
 
-			mpt_prt(mpt, "Address Reply (index %u):",
-			    le32toh(mpt_reply->MsgContext) & 0xffff);
-			mpt_prt(mpt, "%08x %08x %08x %08x",
-			    pReply[0], pReply[1], pReply[2], pReply[3]);
-			mpt_prt(mpt, "%08x %08x %08x %08x",
-			    pReply[4], pReply[5], pReply[6], pReply[7]);
-			mpt_prt(mpt, "%08x %08x %08x %08x",
-			    pReply[8], pReply[9], pReply[10], pReply[11]);
-		}
-		index = le32toh(mpt_reply->MsgContext);
+				mpt_prt(mpt, "Address Reply (index %u):",
+				    le32toh(mpt_reply->MsgContext) & 0xffff);
+				mpt_prt(mpt, "%08x %08x %08x %08x", pReply[0],
+				    pReply[1], pReply[2], pReply[3]);
+				mpt_prt(mpt, "%08x %08x %08x %08x", pReply[4],
+				    pReply[5], pReply[6], pReply[7]);
+				mpt_prt(mpt, "%08x %08x %08x %08x", pReply[8],
+				    pReply[9], pReply[10], pReply[11]);
+			}
+			index = le32toh(mpt_reply->MsgContext);
+		} else
+			index = reply & MPT_CONTEXT_MASK;
 	}
 
 	/*
@@ -763,16 +766,19 @@ mpt_done(mpt_softc_t *mpt, uint32_t repl
 		break;
 	}
 
-	if (mpt_reply->SCSIState & MPI_SCSI_STATE_AUTOSENSE_VALID) {
-		memcpy(&xs->sense.scsi_sense, req->sense_vbuf,
-		    sizeof(xs->sense.scsi_sense));
-	} else if (mpt_reply->SCSIState & MPI_SCSI_STATE_AUTOSENSE_FAILED) {
-		/*
-		 * This will cause the scsipi layer to issue
-		 * a REQUEST SENSE.
-		 */
-		if (xs->status == SCSI_CHECK)
-			xs->error = XS_BUSY;
+	if (mpt_reply != NULL) {
+		if (mpt_reply->SCSIState & MPI_SCSI_STATE_AUTOSENSE_VALID) {
+			memcpy(&xs->sense.scsi_sense, req->sense_vbuf,
+			    sizeof(xs->sense.scsi_sense));
+		} else if (mpt_reply->SCSIState &
+		    MPI_SCSI_STATE_AUTOSENSE_FAILED) {
+			/*
+			 * This will cause the scsipi layer to issue
+			 * a REQUEST SENSE.
+			 */
+			if (xs->status == SCSI_CHECK)
+				xs->error = XS_BUSY;
+		}
 	}
 
  done:

Reply via email to