From patchwork Mon Jan 10 12:02:53 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Christophe JAILLET X-Patchwork-Id: 531055 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 04BA7C433FE for ; Mon, 10 Jan 2022 12:03:45 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S245214AbiAJMDm (ORCPT ); Mon, 10 Jan 2022 07:03:42 -0500 Received: from smtp01.smtpout.orange.fr ([80.12.242.123]:55863 "EHLO smtp.smtpout.orange.fr" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S245199AbiAJMDf (ORCPT ); Mon, 10 Jan 2022 07:03:35 -0500 Received: from pop-os.home ([90.11.185.88]) by smtp.orange.fr with ESMTPA id 6tOcndEAwLyIy6tOdnXf7n; Mon, 10 Jan 2022 13:03:32 +0100 X-ME-Helo: pop-os.home X-ME-Auth: YWZlNiIxYWMyZDliZWIzOTcwYTEyYzlhMmU3ZiQ1M2U2MzfzZDfyZTMxZTBkMTYyNDBjNDJlZmQ3ZQ== X-ME-Date: Mon, 10 Jan 2022 13:03:32 +0100 X-ME-IP: 90.11.185.88 From: Christophe JAILLET To: hch@lst.de, "James E.J. Bottomley" , "Martin K. Petersen" , Bart Van Assche , Johannes Thumshirn , Hannes Reinecke Cc: linux-kernel@vger.kernel.org, kernel-janitors@vger.kernel.org, Christophe JAILLET , linux-scsi@vger.kernel.org Subject: [PATCH v2] scsi: pmcraid: Fix memory allocation in 'pmcraid_alloc_sglist()' Date: Mon, 10 Jan 2022 13:02:53 +0100 Message-Id: <11a1bc98501de37baa5bcd10b61136f6e450b82e.1641816080.git.christophe.jaillet@wanadoo.fr> X-Mailer: git-send-email 2.32.0 MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-scsi@vger.kernel.org When the scatter list is allocated in 'pmcraid_alloc_sglist()', the corresponding pointer should be stored in 'scatterlist' within the 'pmcraid_sglist' structure. Otherwise, 'scatterlist' is NULL. This leads to a potential memory leak and NULL pointer dereference. Fixes: ed4414cef2ad ("scsi: pmcraid: Use sgl_alloc_order() and sgl_free_order()") Signed-off-by: Christophe JAILLET Reviewed-by: Christoph Hellwig --- This patch is completely speculative and untested. Should it be correct, I think that their should be some trouble somewhere. Either NULL pointer dereference or incorrect behavior. The patch that introduced this potential bug is from 2018-02. So, this should have been spotted earlier. So unless this driver is mostly unused, this looks odd to me. Feedback appreciated. Review with care! v2: synch with -next-20220110 --- drivers/scsi/pmcraid.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/drivers/scsi/pmcraid.c b/drivers/scsi/pmcraid.c index 928532180d32..e314ea133827 100644 --- a/drivers/scsi/pmcraid.c +++ b/drivers/scsi/pmcraid.c @@ -3221,8 +3221,9 @@ static struct pmcraid_sglist *pmcraid_alloc_sglist(int buflen) return NULL; sglist->order = order; - sgl_alloc_order(buflen, order, false, GFP_KERNEL | __GFP_ZERO, - &sglist->num_sg); + sglist->scatterlist = sgl_alloc_order(buflen, order, false, + GFP_KERNEL | __GFP_ZERO, + &sglist->num_sg); return sglist; }