From: bugzilla-daemon@kernel.org
To: linux-scsi@vger.kernel.org
Subject: [Bug 220714] New: arcmsr: missing NULL check for dma_alloc_coherent() in arcmsr_alloc_xor_buffer() leads to NULL arithmetic/deref
Date: Tue, 28 Oct 2025 19:01:09 +0000 [thread overview]
Message-ID: <bug-220714-11613@https.bugzilla.kernel.org/> (raw)
https://bugzilla.kernel.org/show_bug.cgi?id=220714
Bug ID: 220714
Summary: arcmsr: missing NULL check for dma_alloc_coherent() in
arcmsr_alloc_xor_buffer() leads to NULL
arithmetic/deref
Product: SCSI Drivers
Version: 2.5
Hardware: All
OS: Linux
Status: NEW
Severity: normal
Priority: P3
Component: Other
Assignee: scsi_drivers-other@kernel-bugs.osdl.org
Reporter: qiushi.wu@ibm.com
Regression: No
In arcmsr_alloc_xor_buffer() the first DMA allocation
dma_coherent = dma_alloc_coherent(&pdev->dev, acb->init2cfg_size,
&dma_coherent_handle, GFP_KERNEL);
is not checked for NULL before it’s used to compute pXorPhys and pXorVirt
(pointer arithmetic at lines like 775 and 779 in the snippet below). If this
allocation fails, the code performs arithmetic and later writes through
pointers derived from a NULL base. This was found by a static analyzer; no
reproducer.
The Code snippet is:
755 static int arcmsr_alloc_xor_buffer(struct AdapterControlBlock *acb)
756 {
757 int rc = 0;
758 struct pci_dev *pdev = acb->pdev;
759 void *dma_coherent;
760 dma_addr_t dma_coherent_handle;
761 int i, xor_ram;
762 struct Xor_sg *pXorPhys;
763 void **pXorVirt;
764 struct HostRamBuf *pRamBuf;
765
766 // allocate 1 MB * N physically continuous memory for XOR engine.
767 xor_ram = (acb->firm_PicStatus >> 24) & 0x0f;
768 acb->xor_mega = (xor_ram - 1) * 32 + 128 + 3;
769 acb->init2cfg_size = sizeof(struct HostRamBuf) +
770 (sizeof(struct XorHandle) * acb->xor_mega);
771 dma_coherent = dma_alloc_coherent(&pdev->dev, acb->init2cfg_size,
772 &dma_coherent_handle, GFP_KERNEL);
773 acb->xorVirt = dma_coherent;
774 acb->xorPhys = dma_coherent_handle;
775 pXorPhys = (struct Xor_sg *)((unsigned long)dma_coherent +
776 sizeof(struct HostRamBuf));
777 acb->xorVirtOffset = sizeof(struct HostRamBuf) +
778 (sizeof(struct Xor_sg) * acb->xor_mega);
779 pXorVirt = (void **)((unsigned long)dma_coherent +
780 (unsigned long)acb->xorVirtOffset);
781 for (i = 0; i < acb->xor_mega; i++) {
--
You may reply to this email to add a comment.
You are receiving this mail because:
You are watching the assignee of the bug.
reply other threads:[~2025-10-28 19:01 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=bug-220714-11613@https.bugzilla.kernel.org/ \
--to=bugzilla-daemon@kernel.org \
--cc=linux-scsi@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).