sr_block_get() returns dma_alloc(length, PR_NOWAIT | PR_ZERO) which may be NULL if the memory pool is depleted. The result is used as 'dst' argument to memcpy() in the following call to sr_raid5_regenerate(), resulting in a possible NULL dereference.
ok? Index: softraid_raid5.c =================================================================== RCS file: /mount/openbsd/cvs/src/sys/dev/softraid_raid5.c,v retrieving revision 1.29 diff -u -p -r1.29 softraid_raid5.c --- softraid_raid5.c 8 Aug 2019 02:19:55 -0000 1.29 +++ softraid_raid5.c 25 Mar 2020 23:54:25 -0000 @@ -818,7 +818,8 @@ sr_raid5_rebuild(struct sr_discipline *s wu_w = sr_scsi_wu_get(sd, 0); wu_r = sr_scsi_wu_get(sd, 0); - xorbuf = sr_block_get(sd, strip_size); + if ((xorbuf = sr_block_get(sd, strip_size)) == NULL) + goto bad; if (sr_raid5_regenerate(wu_r, rebuild_chunk, chunk_lba, strip_size, xorbuf)) goto bad;