Received: by 2002:a05:7412:b10a:b0:f3:1519:9f41 with SMTP id az10csp2229055rdb; Sun, 3 Dec 2023 07:52:10 -0800 (PST) X-Google-Smtp-Source: AGHT+IE79PQoqWPkombm+bzrZb7KTQzL7j8k4gYBnDTlPVM1dK1PhTHJCZNDxpsk3/oCKDiYcTZa X-Received: by 2002:a17:90a:ac14:b0:286:6cc0:62a4 with SMTP id o20-20020a17090aac1400b002866cc062a4mr2413751pjq.35.1701618730036; Sun, 03 Dec 2023 07:52:10 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1701618730; cv=none; d=google.com; s=arc-20160816; b=r8fhOeCkYPToPdvA3Euddt9cULpGE47HtmnJEZOi3lf6RN7WsW6oA4f9wcZj4PycdY mT541pOLviggaVso9FUkbt3/kcnFBjf0bRgKDwKLsznoIApy7OJ6HvwzI+3PQrooKn5H X71OHCA1J5P3mNy3jeE7U8OXH/CqHR2XVB6JATF74doiw6YT4YEeBdYvgLhcjng02b9c 1lsEf9rU9zkGMZBo7cl3HX6pEpB3xwd37HKElp0lzVYjIiDvxTXHdFcwmIkVRBkYXSdj 3QkQXGCw74KX6AS9gND6L7W2pF/gUTTO1v57fBsTc8ZF0KFf8JSY6TpxYrPtQHifOpPw bZjg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature:dkim-filter; bh=OzqlpYzBI15i6FXYFGVQXHLoruvKle2z9Cu7A+AYusY=; fh=R5TXMOPWFOqtvl/jW05vf/lYYHQohmb5GRuhhETOpUM=; b=hd2TTVX9ym92x0yTH2fFQjVNaQoJ43MQLg530SA6gFXddInwGbTYiHZE1S1R0PZFK2 66ezhDAVmXM7NMPyojjQPK+7enyC3zwaYqg2QqRQ7VZNwuwhu7kUR530tl9VcTR/3CUU rg1kUiYkT3G5iJi99fj0M63srZr7EbQOzUEzPV9ieTB231wOAAZ0mkEj3MyF2iptiMrX zaG+Ym0GvN098Ws6njxxhpS9MOcgkQmr/AP8ULQOgWxeomeg7w7UjYEeesR5d0XtXNq5 iQhxlUBeAIpnOwIxg2vLLS5v64PNMix0+zURmSUKXSH2isIvnzD5C/mH0I1T9Hogb+1S mLsw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ispras.ru header.s=default header.b=TXgQzPbf; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.38 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ispras.ru Return-Path: Received: from fry.vger.email (fry.vger.email. [23.128.96.38]) by mx.google.com with ESMTPS id oc12-20020a17090b1c0c00b002850e97e25esi1304739pjb.2.2023.12.03.07.52.09 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 03 Dec 2023 07:52:10 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.38 as permitted sender) client-ip=23.128.96.38; Authentication-Results: mx.google.com; dkim=pass header.i=@ispras.ru header.s=default header.b=TXgQzPbf; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.38 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ispras.ru Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by fry.vger.email (Postfix) with ESMTP id 6605C8074506; Sun, 3 Dec 2023 07:51:40 -0800 (PST) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.11 at fry.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233629AbjLCPvR (ORCPT + 99 others); Sun, 3 Dec 2023 10:51:17 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53204 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233386AbjLCPvQ (ORCPT ); Sun, 3 Dec 2023 10:51:16 -0500 Received: from mail.ispras.ru (mail.ispras.ru [83.149.199.84]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A367AFC; Sun, 3 Dec 2023 07:51:21 -0800 (PST) Received: from localhost.localdomain (unknown [46.242.8.170]) by mail.ispras.ru (Postfix) with ESMTPSA id 3E8F140F1DE6; Sun, 3 Dec 2023 15:51:17 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 mail.ispras.ru 3E8F140F1DE6 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ispras.ru; s=default; t=1701618677; bh=OzqlpYzBI15i6FXYFGVQXHLoruvKle2z9Cu7A+AYusY=; h=From:To:Cc:Subject:Date:From; b=TXgQzPbfxSrdpYYw84oDK20OZfkSeQdWdzqyfZOwnJMGcYsbwkX1D27IEo/QQ2F8F nn6+wULBdJn0Hz87drvzHz3Rj+/WG0VhY5x8uqGqgBG7YV2bYKjbd8LGroyWhns4gz q7IDTPju6sD5xZhcREAO5OXY+BKTeKm1dmwVZJfg= From: Fedor Pchelkin To: Kashyap Desai Cc: Fedor Pchelkin , Sumit Saxena , Shivasharan S , Chandrakanth patil , "James E.J. Bottomley" , "Martin K. Petersen" , megaraidlinux.pdl@broadcom.com, linux-scsi@vger.kernel.org, linux-kernel@vger.kernel.org, Alexey Khoroshilov , lvc-project@linuxtesting.org Subject: [PATCH] scsi: megaraid_mm: do not access uninit kioc_list members Date: Sun, 3 Dec 2023 18:50:57 +0300 Message-ID: <20231203155058.24293-1-pchelkin@ispras.ru> X-Mailer: git-send-email 2.43.0 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-0.9 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on fry.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (fry.vger.email [0.0.0.0]); Sun, 03 Dec 2023 07:51:40 -0800 (PST) adapter->kioc_list is allocated using kmalloc_array() so its values are left uninitialized. In a rare OOM case when dma_pool_alloc() fails in mraid_mm_register_adp(), we should free the already allocated DMA pools but comparing kioc->pthru32 with NULL doesn't guard from accessing uninit memory. Properly roll back in error case: free array members with lower indices. Found by Linux Verification Center (linuxtesting.org). Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Fedor Pchelkin --- drivers/scsi/megaraid/megaraid_mm.c | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/drivers/scsi/megaraid/megaraid_mm.c b/drivers/scsi/megaraid/megaraid_mm.c index c509440bd161..701eb5ee2a69 100644 --- a/drivers/scsi/megaraid/megaraid_mm.c +++ b/drivers/scsi/megaraid/megaraid_mm.c @@ -1001,12 +1001,10 @@ mraid_mm_register_adp(mraid_mmadp_t *lld_adp) pthru_dma_pool_error: - for (i = 0; i < lld_adp->max_kioc; i++) { + while (--i >= 0) { kioc = adapter->kioc_list + i; - if (kioc->pthru32) { - dma_pool_free(adapter->pthru_dma_pool, kioc->pthru32, - kioc->pthru32_h); - } + dma_pool_free(adapter->pthru_dma_pool, kioc->pthru32, + kioc->pthru32_h); } memalloc_error: -- 2.43.0