From nobody Fri Nov 14 17:03:00 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=163.com ARC-Seal: i=1; a=rsa-sha256; t=1761977660; cv=none; d=zohomail.com; s=zohoarc; b=AjsLnfjXbjmH1CVNbfx9CGHq+hlRidQe9PWPUwEaTNWMjOMBHWueIW7QVEAwL2IApyjTQ/NROIJTKK4LlJx/expr2eAuVE1k/U5MSHHvJ6zjSyaqxPJaKR7sQ+Oy0YyrU12+eoMkTWIWBpHgVlZEbWpYLeqt3zrvRYrdTRB9ML8= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1761977660; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=saSvj6nt7PKtRosPykcIBsIUkB+nR5xmsC/VlYHndro=; b=I7lqysBTb6jX3KznGPNifB30vMYLLDpvm1FUScU7EzJkxpUfoNoA0yBpm0UktLKbK9tj7JYDOtiortK/rVkT0e8dpcW5KoM6E3kKh6uZA6+gHz3EaC/ZQ9/1F9wiou36c4Zi1PZhbWelBNYY1+tgjHfzCd6MlWPY02QOS6DE8mw= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 176197766006165.90112163487231; Fri, 31 Oct 2025 23:14:20 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vF4rg-0003Ca-Qy; Sat, 01 Nov 2025 02:13:28 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vF4rd-0003BV-LB for qemu-devel@nongnu.org; Sat, 01 Nov 2025 02:13:25 -0400 Received: from m16.mail.163.com ([117.135.210.3]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vF4rZ-0003RY-Cw for qemu-devel@nongnu.org; Sat, 01 Nov 2025 02:13:25 -0400 Received: from localhost.localdomain (unknown []) by gzga-smtp-mtada-g1-2 (Coremail) with SMTP id _____wCn6ku_pAVpx3ZYAw--.7817S2; Sat, 01 Nov 2025 14:12:17 +0800 (CST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=163.com; s=s110527; h=From:To:Subject:Date:Message-ID:MIME-Version; bh=sa Svj6nt7PKtRosPykcIBsIUkB+nR5xmsC/VlYHndro=; b=ADczqJHdyEC+193XFj EnX46+E4EpOR0GsHhHU7IR+JCAyC+IqXzpCw+0I4k7/4VpGHwdbow2aQQ7kQlnpS OxkZgrYOpUm+0pPeXQOz1cDIvtZNI9kT+Da3bDXJxfIl+5wxcpDeilGB1Q3zjOIG CMGyfzxLWfH1dDO0SzEzTGrSY= From: zhaoguohan_salmon@163.com To: richard.henderson@linaro.org, deller@gmx.de Cc: pbonzini@redhat.com, fam@euphon.net, qemu-devel@nongnu.org (open list:All patches CC here), GuoHan Zhao , Soumyajyotii Datta Subject: [PATCH v2] hw/scsi/ncr710: Fix null pointer dereference in `ncr710_transfer_data` Date: Sat, 1 Nov 2025 14:12:13 +0800 Message-ID: <20251101061213.164644-1-zhaoguohan_salmon@163.com> X-Mailer: git-send-email 2.43.0 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-CM-TRANSID: _____wCn6ku_pAVpx3ZYAw--.7817S2 X-Coremail-Antispam: 1Uf129KBjvJXoW7trWUCrWxArWUWrWDKrWruFg_yoW8WF48pr Z2gF1UK3yYgF1jyay8Jr48XF1Yka9Iyw4Yya10gasxArZ7KF17XFWftay0gasrurZ3J3W7 Xr1q9ayjqFy7JaUanT9S1TB71UUUUU7qnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDUYxBIdaVFxhVjvjDU0xZFpf9x07jf3kAUUUUU= X-Originating-IP: [116.128.244.169] X-CM-SenderInfo: 52kd0wpxrkt0xbvdzzlrq6il2tof0z/xtbBgBj4EGkFnXyDkwAAst Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=117.135.210.3; envelope-from=zhaoguohan_salmon@163.com; helo=m16.mail.163.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @163.com) X-ZM-MESSAGEID: 1761977664143158500 Content-Type: text/plain; charset="utf-8" From: GuoHan Zhao Fix a null pointer dereference issue in ncr710_transfer_data(). The code dereferences s->current->dma_len before checking if s->current is NULL. Only the dma_len assignment needs null protection, while s->command_complete should be set unconditionally to maintain proper boot sequence. Initialize s->current from req->hba_private if it is NULL before accessing dma_len. Fixes: 9ce93b74cdc0 ("ncr710: Add driver for the NCR 53c710 SCSI chip") Suggested-by: Soumyajyotii Datta Reviewed-by: Helge Deller Signed-off-by: GuoHan Zhao --- Changes in v2: - Only protect dma_len assignment instead of moving all code - Keep s->command_complete set unconditionally - Initialize s->current from req->hba_private when NULL - Thanks to Soumyajyotii for testing and suggesting the fix --- hw/scsi/ncr53c710.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/hw/scsi/ncr53c710.c b/hw/scsi/ncr53c710.c index e479a212bc54..01b0ca21ec51 100644 --- a/hw/scsi/ncr53c710.c +++ b/hw/scsi/ncr53c710.c @@ -831,13 +831,13 @@ void ncr710_transfer_data(SCSIRequest *req, uint32_t = len) } } =20 + /* Host adapter (re)connected */ + s->command_complete =3D NCR710_CMD_DATA_READY; + if (!s->current) { - return; + s->current =3D (NCR710Request *)req->hba_private; } - - /* Host adapter (re)connected */ s->current->dma_len =3D len; - s->command_complete =3D NCR710_CMD_DATA_READY; =20 if (s->waiting) { s->scntl1 |=3D NCR710_SCNTL1_CON; --=20 2.43.0