re: scsi: sg: NO_DXFER move to/from kernel buffers

re: scsi: sg: NO_DXFER move to/from kernel buffers

[Colin Ian King]

Hi,

Static analysis on linux-next with Coverity has detected an issue in
drivers/scsi/sg.c with the following recent commit:

commit b32ac463cb59e758b4560260fd168a2b4ea6e81a
Author: Douglas Gilbert <dgilbert@interlog.com>
Date:   Fri Feb 19 21:00:54 2021 -0500

    scsi: sg: NO_DXFER move to/from kernel buffers

The analysis is as follows:

2973 sg_rq_map_kern(struct sg_request *srp, struct request_queue *q,
struct request *rqq, int rw_ind)
2974 {
2975        struct sg_scatter_hold *schp = &srp->sgat_h;
2976        struct bio *bio;

    1. var_decl: Declaring variable k without initializer.

2977        int k, ln;
2978        int op_flags = 0;
2979        int num_sgat = schp->num_sgat;
2980        int dlen = schp->dlen;
2981        int pg_sz = 1 << (PAGE_SHIFT + schp->page_order);
2982        int num_segs = (1 << schp->page_order) * num_sgat;
2983        int res = 0;
2984

    2. Condition _sdp, taking true branch.
    3. Condition _sdp->disk, taking true branch.
    4. Condition !!(_sdp && _sdp->disk), taking true branch.
    5. Condition !!(((scsi_logging_level >> 3) & 7U /* (1 << 3) - 1 */)
> 4), taking true branch.
    6. Condition !!(((scsi_logging_level >> 3) & 7U /* (1 << 3) - 1 */)
> 4), taking true branch.
    7. Falling through to end of if statement.

2985        SG_LOG(4, srp->parentfp, "%s: dlen=%d, pg_sz=%d\n",
__func__, dlen, pg_sz);

    8. Condition num_sgat <= 0, taking false branch.

2986        if (num_sgat <= 0)
2987                return 0;

    9. Condition rw_ind == 1, taking true branch.

2988        if (rw_ind == WRITE)
2989                op_flags = REQ_SYNC | REQ_IDLE;
    Uninitialized scalar variable
    10. uninit_use: Using uninitialized value k.

2990        bio = sg_mk_kern_bio(num_sgat - k);
2991        if (!bio)

Variable k is not initialized, however it is being read when it contains
a garbage value.

Colin