Received: by 2002:a05:6a10:5bc5:0:0:0:0 with SMTP id os5csp1828087pxb; Thu, 4 Nov 2021 09:07:56 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyStAGaztUV4TXEKiiLqD4euER1CmbPk/9TPi4STCUD2J4TBrwApJKs92taLZmmUmGJSqbG X-Received: by 2002:a5e:d80a:: with SMTP id l10mr37100246iok.182.1636042075999; Thu, 04 Nov 2021 09:07:55 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1636042075; cv=none; d=google.com; s=arc-20160816; b=hn4/nmvn8TBWzS3BRo71xG7agylCzmr4+c88MYX8W3koD55IDj+9es55r2i0FK4/vL HzAdzpdGFa6RQAjvf1ww3PsDOwy7H7wsV4Fflsdh1X8Ov1mQITdOsA6Oe/qb7LzAiz9u ffUtVqxV6WswUa6mbWF30qzGNtnBUOl4OxaK8y7Y+wHg5b8IciCQwnv194SizwKWX7Ji NXCubB1YKww1c0RBRNUmLzRkMzm+yOv1kzcPmVIU1VVxCsSNCr5oyAQ6Pn3ncPx9f71Q Or67G2Dsh94G4jRzugacwbQfhJN7pOV0jZbauTdar7phZXkhvYHZ08VyFMv85LjUYhIP JKWQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:date:cc:to:from:subject :message-id; bh=fjJf1VziabDqS2zMGUemgEArtFr39klhpGHhoh/Mtlc=; b=IKi6Wm28/qr74CxDPjOK6wmlk2eqL+z18Vmfv66BspYfgt1TSMjapuFT8InQpQEY6d e3pGpPOXr44EXOHcrEf9cMze8AQdK8OdQzVqk9n2paefXywDJddtEL9+oJDAb+kTUoKJ j9RtJLdqyhgFaoJ+tdHVET5D5E7mXaPCV9nIkA/5G4eM71NhC7P6PkBJZoP4xsk2aa9s HbMPhVDjZ6RtCoRFpRBr66n32d+Kf9oiKAsaC7YQha4dKfXwm8x24c33tYX4ORaaCbcO Zho4q+zgv7WIifczpObAYDKYJCAdbGgORm7wF8EBpk84Knc7mvpFE3b6rYPyedgDlqD5 J8/Q== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id e13si5955788iol.61.2021.11.04.09.07.41; Thu, 04 Nov 2021 09:07:55 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231604AbhKDQGp (ORCPT + 99 others); Thu, 4 Nov 2021 12:06:45 -0400 Received: from smtprelay0199.hostedemail.com ([216.40.44.199]:50054 "EHLO smtprelay.hostedemail.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S231484AbhKDQGo (ORCPT ); Thu, 4 Nov 2021 12:06:44 -0400 Received: from omf08.hostedemail.com (clb03-v110.bra.tucows.net [216.40.38.60]) by smtprelay03.hostedemail.com (Postfix) with ESMTP id 0EC68838436D; Thu, 4 Nov 2021 16:04:06 +0000 (UTC) Received: from [HIDDEN] (Authenticated sender: joe@perches.com) by omf08.hostedemail.com (Postfix) with ESMTPA id 1E5841A29FC; Thu, 4 Nov 2021 16:04:04 +0000 (UTC) Message-ID: <834e83a227f40c4654b97f2f0b045b4cbd326f16.camel@perches.com> Subject: Re: [PATCH] scsi: scsi_debug: fix return checks for kcalloc From: Joe Perches To: George Kennedy , gregkh@linuxfoundation.org, jejb@linux.ibm.com, martin.petersen@oracle.com Cc: linux-scsi@vger.kernel.org, linux-kernel@vger.kernel.org, dan.carpenter@oracle.com Date: Thu, 04 Nov 2021 09:04:01 -0700 In-Reply-To: <1635966102-29320-1-git-send-email-george.kennedy@oracle.com> References: <1635966102-29320-1-git-send-email-george.kennedy@oracle.com> Content-Type: text/plain; charset="ISO-8859-1" User-Agent: Evolution 3.40.4-1 MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-4.40 X-Stat-Signature: 16zn43i8n69z9pymassbmob55zucsoi7 X-Rspamd-Server: rspamout02 X-Rspamd-Queue-Id: 1E5841A29FC X-Session-Marker: 6A6F6540706572636865732E636F6D X-Session-ID: U2FsdGVkX1+sBPcUO2wOTsQDKinIY1mJf6efqbRRJZ0= X-HE-Tag: 1636041843-960213 Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, 2021-11-03 at 14:01 -0500, George Kennedy wrote: > Change return checks from kcalloc() to now check for NULL and > ZERO_SIZE_PTR using the ZERO_OR_NULL_PTR macro or the following > crash can occur if ZERO_SIZE_PTR indicator is returned. > > BUG: KASAN: null-ptr-deref in memcpy include/linux/fortify-string.h:191 [inline] > BUG: KASAN: null-ptr-deref in sg_copy_buffer+0x138/0x240 lib/scatterlist.c:974 > Write of size 4 at addr 0000000000000010 by task syz-executor.1/22789 [] > diff --git a/drivers/scsi/scsi_debug.c b/drivers/scsi/scsi_debug.c [] > @@ -3909,7 +3909,7 @@ static int resp_comp_write(struct scsi_cmnd *scp, > return ret; > dnum = 2 * num; > arr = kcalloc(lb_size, dnum, GFP_ATOMIC); > - if (NULL == arr) { > + if (ZERO_OR_NULL_PTR(arr)) { > mk_sense_buffer(scp, ILLEGAL_REQUEST, INSUFF_RES_ASC, > INSUFF_RES_ASCQ); > return check_condition_result; This one isn't necessary as num is already tested for non-0 above this block. > @@ -4265,7 +4265,7 @@ static int resp_verify(struct scsi_cmnd *scp, struct sdebug_dev_info *devip) > return ret; > > arr = kcalloc(lb_size, vnum, GFP_ATOMIC); > - if (!arr) { > + if (ZERO_OR_NULL_PTR(arr)) { > mk_sense_buffer(scp, ILLEGAL_REQUEST, INSUFF_RES_ASC, > INSUFF_RES_ASCQ); > return check_condition_result; Here it's probably clearer code to test vnum == 0 before the kcalloc and return check_condition_result; > @@ -4334,7 +4334,7 @@ static int resp_report_zones(struct scsi_cmnd *scp, > max_zones); > > arr = kcalloc(RZONES_DESC_HD, alloc_len, GFP_ATOMIC); > - if (!arr) { > + if (ZERO_OR_NULL_PTR(arr)) { > mk_sense_buffer(scp, ILLEGAL_REQUEST, INSUFF_RES_ASC, > INSUFF_RES_ASCQ); > return check_condition_result; And here test alloc_len == 0 before the kcalloc.