sr_block_get() returns dma_alloc(length, PR_NOWAIT | PR_ZERO) which may be
NULL if the memory pool is depleted.
The result is used as 'dst' argument to memcpy() in the following call to
sr_raid5_regenerate(), resulting in a possible NULL dereference.
ok?
Index: softraid_raid5.c
===================================================================
RCS file: /mount/openbsd/cvs/src/sys/dev/softraid_raid5.c,v
retrieving revision 1.29
diff -u -p -r1.29 softraid_raid5.c
--- softraid_raid5.c 8 Aug 2019 02:19:55 -0000 1.29
+++ softraid_raid5.c 25 Mar 2020 23:54:25 -0000
@@ -818,7 +818,8 @@ sr_raid5_rebuild(struct sr_discipline *s
wu_w = sr_scsi_wu_get(sd, 0);
wu_r = sr_scsi_wu_get(sd, 0);
- xorbuf = sr_block_get(sd, strip_size);
+ if ((xorbuf = sr_block_get(sd, strip_size)) == NULL)
+ goto bad;
if (sr_raid5_regenerate(wu_r, rebuild_chunk, chunk_lba,
strip_size, xorbuf))
goto bad;
