From 7ff9e14f046273b2fc5541c3973afd0e32249aff Mon Sep 17 00:00:00 2001
From: Jiaxing Luo <luojiaxing@huawei.com>
Date: Wed, 17 Jul 2019 16:21:43 +0800
Subject: [PATCH] scsi: hisi_sas: fix out of bound at debug_I_T_nexus_reset()

driver inclusion
category: bugfix
bugzilla: NA
CVE: NA

We found a memory out of bounds issue in hisi_sas_debug_I_T_nexus_reset().

This function needs to use sas_phy(struct asd_sas_phy) when handling
the link reset of the directly attached environment. Since controller
has 8 phys, only 8 sas_phy spaces are alloced when probe.

At the beginning of this function, we get the sas_phy pointer of the
corresponding phy by sas_phy = sas_ha->sas_phy[local_phy->number].

There is a problem here, because in the case of direct attached,
local_phy->number can be guaranteed to be less than 8, but in the
case of expander, local_phy->number is greater than 8, it will cause
out of bounds when run "sas_phy = sas_ha->sas_phy[local_phy->number]".

We fix this OOB problem by moving the problematic code into the code
section for direct attached backplane.

Feature or Bugfix:Bugfix

Signed-off-by: Jiaxing Luo <luojiaxing@huawei.com>
Signed-off-by: John Garry <john.garry@huawei.com>
Signed-off-by: luojiaxing <luojiaxing@huawei.com>
Reviewed-by: chenxiang <chenxiang66@hisilicon.com>
Reviewed-by: Yang Yingliang <yangyingliang@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
---
 drivers/scsi/hisi_sas/hisi_sas_main.c | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/drivers/scsi/hisi_sas/hisi_sas_main.c b/drivers/scsi/hisi_sas/hisi_sas_main.c
index 62ca7989bf4a..8dee55b5bf65 100644
--- a/drivers/scsi/hisi_sas/hisi_sas_main.c
+++ b/drivers/scsi/hisi_sas/hisi_sas_main.c
@@ -1769,12 +1769,13 @@ static int hisi_sas_debug_I_T_nexus_reset(struct domain_device *device)
 			      !dev_is_sata(device)) ? 1 : 0;
 	struct hisi_hba *hisi_hba = dev_to_hisi_hba(device);
 	struct sas_ha_struct *sas_ha = &hisi_hba->sha;
-	struct asd_sas_phy *sas_phy = sas_ha->sas_phy[local_phy->number];
-	struct hisi_sas_phy *phy = container_of(sas_phy,
-			struct hisi_sas_phy, sas_phy);
 	DECLARE_COMPLETION_ONSTACK(phyreset);
 
 	if (scsi_is_sas_phy_local(local_phy)) {
+		struct asd_sas_phy *sas_phy =
+			sas_ha->sas_phy[local_phy->number];
+		struct hisi_sas_phy *phy =
+			container_of(sas_phy, struct hisi_sas_phy, sas_phy);
 		phy->in_reset = 1;
 		phy->reset_completion = &phyreset;
 	}
@@ -1783,6 +1784,10 @@ static int hisi_sas_debug_I_T_nexus_reset(struct domain_device *device)
 	sas_put_local_phy(local_phy);
 
 	if (scsi_is_sas_phy_local(local_phy)) {
+		struct asd_sas_phy *sas_phy =
+			sas_ha->sas_phy[local_phy->number];
+		struct hisi_sas_phy *phy =
+			container_of(sas_phy, struct hisi_sas_phy, sas_phy);
 		/* Wait for I_T reset complete, time out after 2s */
 		int ret = wait_for_completion_timeout(&phyreset, 2 * HZ);
 		unsigned long flags;
-- 
GitLab