Linux SCSI subsystem development
 help / color / mirror / Atom feed
* [Bug 220714] New: arcmsr: missing NULL check for dma_alloc_coherent() in arcmsr_alloc_xor_buffer() leads to NULL arithmetic/deref
@ 2025-10-28 19:01 bugzilla-daemon
  0 siblings, 0 replies; only message in thread
From: bugzilla-daemon @ 2025-10-28 19:01 UTC (permalink / raw)
  To: linux-scsi

https://bugzilla.kernel.org/show_bug.cgi?id=220714

            Bug ID: 220714
           Summary: arcmsr: missing NULL check for dma_alloc_coherent() in
                    arcmsr_alloc_xor_buffer() leads to NULL
                    arithmetic/deref
           Product: SCSI Drivers
           Version: 2.5
          Hardware: All
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P3
         Component: Other
          Assignee: scsi_drivers-other@kernel-bugs.osdl.org
          Reporter: qiushi.wu@ibm.com
        Regression: No

In arcmsr_alloc_xor_buffer() the first DMA allocation
dma_coherent = dma_alloc_coherent(&pdev->dev, acb->init2cfg_size,
&dma_coherent_handle, GFP_KERNEL);
is not checked for NULL before it’s used to compute pXorPhys and pXorVirt
(pointer arithmetic at lines like 775 and 779 in the snippet below). If this
allocation fails, the code performs arithmetic and later writes through
pointers derived from a NULL base. This was found by a static analyzer; no
reproducer.

The Code snippet is:
 755 static int arcmsr_alloc_xor_buffer(struct AdapterControlBlock *acb)
 756 {
 757         int rc = 0;
 758         struct pci_dev *pdev = acb->pdev;
 759         void *dma_coherent;
 760         dma_addr_t dma_coherent_handle;
 761         int i, xor_ram;
 762         struct Xor_sg *pXorPhys;
 763         void **pXorVirt;
 764         struct HostRamBuf *pRamBuf;
 765 
 766         // allocate 1 MB * N physically continuous memory for XOR engine.
 767         xor_ram = (acb->firm_PicStatus >> 24) & 0x0f;
 768         acb->xor_mega = (xor_ram - 1) * 32 + 128 + 3;
 769         acb->init2cfg_size = sizeof(struct HostRamBuf) +
 770                 (sizeof(struct XorHandle) * acb->xor_mega);
 771         dma_coherent = dma_alloc_coherent(&pdev->dev, acb->init2cfg_size,
 772                 &dma_coherent_handle, GFP_KERNEL);
 773         acb->xorVirt = dma_coherent;
 774         acb->xorPhys = dma_coherent_handle;
 775         pXorPhys = (struct Xor_sg *)((unsigned long)dma_coherent +
 776                 sizeof(struct HostRamBuf));
 777         acb->xorVirtOffset = sizeof(struct HostRamBuf) +
 778                 (sizeof(struct Xor_sg) * acb->xor_mega);
 779         pXorVirt = (void **)((unsigned long)dma_coherent +
 780                 (unsigned long)acb->xorVirtOffset);
 781         for (i = 0; i < acb->xor_mega; i++) {

-- 
You may reply to this email to add a comment.

You are receiving this mail because:
You are watching the assignee of the bug.

^ permalink raw reply	[flat|nested] only message in thread
only message in thread, other threads:[~2025-10-28 19:01 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-10-28 19:01 [Bug 220714] New: arcmsr: missing NULL check for dma_alloc_coherent() in arcmsr_alloc_xor_buffer() leads to NULL arithmetic/deref bugzilla-daemon

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox