All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH v2] scsi: pmcraid: Fix memory allocation in 'pmcraid_alloc_sglist()'
@ 2022-01-10 12:02 Christophe JAILLET
  2022-01-10 16:44 ` Christoph Hellwig
  0 siblings, 1 reply; 3+ messages in thread
From: Christophe JAILLET @ 2022-01-10 12:02 UTC (permalink / raw)
  To: hch, James E.J. Bottomley, Martin K. Petersen, Bart Van Assche,
	Johannes Thumshirn, Hannes Reinecke
  Cc: linux-kernel, kernel-janitors, Christophe JAILLET, linux-scsi

When the scatter list is allocated in 'pmcraid_alloc_sglist()', the
corresponding pointer should be stored in 'scatterlist' within the
'pmcraid_sglist' structure. Otherwise, 'scatterlist' is NULL.

This leads to a potential memory leak and NULL pointer dereference.

Fixes: ed4414cef2ad ("scsi: pmcraid: Use sgl_alloc_order() and sgl_free_order()")
Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
---
This patch is completely speculative and untested.

Should it be correct, I think that their should be some trouble somewhere.
Either NULL pointer dereference or incorrect behavior.
The patch that introduced this potential bug is from 2018-02. So, this
should have been spotted earlier.

So unless this driver is mostly unused, this looks odd to me.
Feedback appreciated.

Review with care!

v2: synch with -next-20220110
---
 drivers/scsi/pmcraid.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/drivers/scsi/pmcraid.c b/drivers/scsi/pmcraid.c
index 928532180d32..e314ea133827 100644
--- a/drivers/scsi/pmcraid.c
+++ b/drivers/scsi/pmcraid.c
@@ -3221,8 +3221,9 @@ static struct pmcraid_sglist *pmcraid_alloc_sglist(int buflen)
 		return NULL;
 
 	sglist->order = order;
-	sgl_alloc_order(buflen, order, false, GFP_KERNEL | __GFP_ZERO,
-			&sglist->num_sg);
+	sglist->scatterlist = sgl_alloc_order(buflen, order, false,
+					      GFP_KERNEL | __GFP_ZERO,
+					      &sglist->num_sg);
 
 	return sglist;
 }
-- 
2.32.0


^ permalink raw reply related	[flat|nested] 3+ messages in thread
* Re: [PATCH v2] scsi: pmcraid: Fix memory allocation in 'pmcraid_alloc_sglist()'
  2022-01-10 12:02 [PATCH v2] scsi: pmcraid: Fix memory allocation in 'pmcraid_alloc_sglist()' Christophe JAILLET
@ 2022-01-10 16:44 ` Christoph Hellwig
  2022-01-11  3:01   ` Martin K. Petersen
  0 siblings, 1 reply; 3+ messages in thread
From: Christoph Hellwig @ 2022-01-10 16:44 UTC (permalink / raw)
  To: Christophe JAILLET
  Cc: hch, James E.J. Bottomley, Martin K. Petersen, Bart Van Assche,
	Johannes Thumshirn, Hannes Reinecke, linux-kernel,
	kernel-janitors, linux-scsi

On Mon, Jan 10, 2022 at 01:02:53PM +0100, Christophe JAILLET wrote:
> When the scatter list is allocated in 'pmcraid_alloc_sglist()', the
> corresponding pointer should be stored in 'scatterlist' within the
> 'pmcraid_sglist' structure. Otherwise, 'scatterlist' is NULL.
> 
> This leads to a potential memory leak and NULL pointer dereference.
> 
> Fixes: ed4414cef2ad ("scsi: pmcraid: Use sgl_alloc_order() and sgl_free_order()")
> Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
> ---
> This patch is completely speculative and untested.
> 
> Should it be correct, I think that their should be some trouble somewhere.
> Either NULL pointer dereference or incorrect behavior.
> The patch that introduced this potential bug is from 2018-02. So, this
> should have been spotted earlier.
> 
> So unless this driver is mostly unused, this looks odd to me.
> Feedback appreciated.

The whole passthrough ioctl path looks completely broken to me.  For
example it dma maps the scatterlist and after that copies data to it,
which is prohibited by the DMA API contract.

So I'd be tempted to just remove the PMCRAID_PASSTHROUGH_IOCTL ioctl
implementation entirely, and if users for it do pop up we should
reimplement it using the proper block layer request mapping helpers.

If for some reason we don't want that and just fix the obvious
problem without a way to test for it, your patch looks good to me:

Reviewed-by: Christoph Hellwig <hch@lst.de>

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: [PATCH v2] scsi: pmcraid: Fix memory allocation in 'pmcraid_alloc_sglist()'
  2022-01-10 16:44 ` Christoph Hellwig
@ 2022-01-11  3:01   ` Martin K. Petersen
  0 siblings, 0 replies; 3+ messages in thread
From: Martin K. Petersen @ 2022-01-11  3:01 UTC (permalink / raw)
  To: Christoph Hellwig
  Cc: Christophe JAILLET, James E.J. Bottomley, Martin K. Petersen,
	Bart Van Assche, Johannes Thumshirn, Hannes Reinecke,
	linux-kernel, kernel-janitors, linux-scsi


Christoph,

> The whole passthrough ioctl path looks completely broken to me.  For
> example it dma maps the scatterlist and after that copies data to it,
> which is prohibited by the DMA API contract.
>
> So I'd be tempted to just remove the PMCRAID_PASSTHROUGH_IOCTL ioctl
> implementation entirely, and if users for it do pop up we should
> reimplement it using the proper block layer request mapping helpers.

Given that nobody has complained since 2018 I propose we remove it.

-- 
Martin K. Petersen	Oracle Linux Engineering

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2022-01-11  3:01 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-01-10 12:02 [PATCH v2] scsi: pmcraid: Fix memory allocation in 'pmcraid_alloc_sglist()' Christophe JAILLET
2022-01-10 16:44 ` Christoph Hellwig
2022-01-11  3:01   ` Martin K. Petersen

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.