On Thu, Mar 26, 2020 at 01:03:26AM +0100, Tobias Heider wrote: > sr_block_get() returns dma_alloc(length, PR_NOWAIT | PR_ZERO) which may be > NULL if the memory pool is depleted. > The result is used as 'dst' argument to memcpy() in the following call to > sr_raid5_regenerate(), resulting in a possible NULL dereference. > > ok? > > Index: softraid_raid5.c > =================================================================== > RCS file: /mount/openbsd/cvs/src/sys/dev/softraid_raid5.c,v > retrieving revision 1.29 > diff -u -p -r1.29 softraid_raid5.c > --- softraid_raid5.c 8 Aug 2019 02:19:55 -0000 1.29 > +++ softraid_raid5.c 25 Mar 2020 23:54:25 -0000 > @@ -818,7 +818,8 @@ sr_raid5_rebuild(struct sr_discipline *s > wu_w = sr_scsi_wu_get(sd, 0); > wu_r = sr_scsi_wu_get(sd, 0); > > - xorbuf = sr_block_get(sd, strip_size); > + if ((xorbuf = sr_block_get(sd, strip_size)) == NULL) > + goto bad; > if (sr_raid5_regenerate(wu_r, rebuild_chunk, chunk_lba, > strip_size, xorbuf)) > goto bad; >
Obvious fix. ok stsp@ Same problem is present in sr_raid5_scrub() which is currently in #if 0.