| Message ID | 20211109115219.GE16587@kili (mailing list archive) |
|---|---|
| State | Accepted |
| Headers | show |
| Series | scsi: qla2xxx: edif: fix off by one bug in qla_edif_app_getfcinfo() | expand |
Looks fine. (The break; test could perhaps be moved prior to the ql_dbg() call above but that's not all that critical. Or, that ql_dbg()) call could potentially move outside the list traversal since it is invariant, Marvell you might want to look at that.) Reviewed-by: Ewan D. Milne <emilne@redhat.com> On Tue, Nov 9, 2021 at 6:56 AM Dan Carpenter <dan.carpenter@oracle.com> wrote: > > The > comparison needs to be >= to prevent accessing one element beyond > the end of the app_reply->ports[] array. > > Fixes: 7878f22a2e03 ("scsi: qla2xxx: edif: Add getfcinfo and statistic bsgs") > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> > --- > drivers/scsi/qla2xxx/qla_edif.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/scsi/qla2xxx/qla_edif.c b/drivers/scsi/qla2xxx/qla_edif.c > index 2e37b189cb75..53d2b8562027 100644 > --- a/drivers/scsi/qla2xxx/qla_edif.c > +++ b/drivers/scsi/qla2xxx/qla_edif.c > @@ -865,7 +865,7 @@ qla_edif_app_getfcinfo(scsi_qla_host_t *vha, struct bsg_job *bsg_job) > "APP request entry - portid=%06x.\n", tdid.b24); > > /* Ran out of space */ > - if (pcnt > app_req.num_ports) > + if (pcnt >= app_req.num_ports) > break; > > if (tdid.b24 != 0 && tdid.b24 != fcport->d_id.b24) > -- > 2.20.1 >
> On Nov 9, 2021, at 5:52 AM, Dan Carpenter <dan.carpenter@oracle.com> wrote: > > The > comparison needs to be >= to prevent accessing one element beyond > the end of the app_reply->ports[] array. > > Fixes: 7878f22a2e03 ("scsi: qla2xxx: edif: Add getfcinfo and statistic bsgs") > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> > --- > drivers/scsi/qla2xxx/qla_edif.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/scsi/qla2xxx/qla_edif.c b/drivers/scsi/qla2xxx/qla_edif.c > index 2e37b189cb75..53d2b8562027 100644 > --- a/drivers/scsi/qla2xxx/qla_edif.c > +++ b/drivers/scsi/qla2xxx/qla_edif.c > @@ -865,7 +865,7 @@ qla_edif_app_getfcinfo(scsi_qla_host_t *vha, struct bsg_job *bsg_job) > "APP request entry - portid=%06x.\n", tdid.b24); > > /* Ran out of space */ > - if (pcnt > app_req.num_ports) > + if (pcnt >= app_req.num_ports) > break; > > if (tdid.b24 != 0 && tdid.b24 != fcport->d_id.b24) > -- > 2.20.1 > Reviewed-by: Himanshu Madhani <himanshu.madhani@oracle.com> Also, I agree with comments from Ewan about the ql_dbg(), it needs to be fixed as separate patch. -- Himanshu Madhani Oracle Linux Engineering
On Tue, 9 Nov 2021 14:52:19 +0300, Dan Carpenter wrote: > The > comparison needs to be >= to prevent accessing one element beyond > the end of the app_reply->ports[] array. > > Applied to 5.16/scsi-fixes, thanks! [1/1] scsi: qla2xxx: edif: fix off by one bug in qla_edif_app_getfcinfo() https://git.kernel.org/mkp/scsi/c/e11e285b9cd1
diff --git a/drivers/scsi/qla2xxx/qla_edif.c b/drivers/scsi/qla2xxx/qla_edif.c index 2e37b189cb75..53d2b8562027 100644 --- a/drivers/scsi/qla2xxx/qla_edif.c +++ b/drivers/scsi/qla2xxx/qla_edif.c @@ -865,7 +865,7 @@ qla_edif_app_getfcinfo(scsi_qla_host_t *vha, struct bsg_job *bsg_job) "APP request entry - portid=%06x.\n", tdid.b24); /* Ran out of space */ - if (pcnt > app_req.num_ports) + if (pcnt >= app_req.num_ports) break; if (tdid.b24 != 0 && tdid.b24 != fcport->d_id.b24)
The > comparison needs to be >= to prevent accessing one element beyond the end of the app_reply->ports[] array. Fixes: 7878f22a2e03 ("scsi: qla2xxx: edif: Add getfcinfo and statistic bsgs") Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> --- drivers/scsi/qla2xxx/qla_edif.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)