scsi: hisi_sas: fix out of bound at debug_I_T_nexus_reset()

driver inclusion category: bugfix bugzilla: NA CVE: NA We found a memory out of bounds issue in hisi_sas_debug_I_T_nexus_reset(). This function needs to use sas_phy(struct asd_sas_phy) when handling the link reset of the directly attached environment. Since controller has 8 phys, only 8 sas_phy spaces are alloced when probe. At the beginning of this function, we get the sas_phy pointer of the corresponding phy by sas_phy = sas_ha->sas_phy[local_phy->number]. There is a problem here, because in the case of direct attached, local_phy->number can be guaranteed to be less than 8, but in the case of expander, local_phy->number is greater than 8, it will cause out of bounds when run "sas_phy = sas_ha->sas_phy[local_phy->number]". We fix this OOB problem by moving the problematic code into the code section for direct attached backplane. Feature or Bugfix:Bugfix Signed-off-by: N Jiaxing Luo <luojiaxing@huawei.com> Signed-off-by: N John Garry <john.garry@huawei.com> Signed-off-by: N luojiaxing <luojiaxing@huawei.com> Reviewed-by: N chenxiang <chenxiang66@hisilicon.com> Reviewed-by: N Yang Yingliang <yangyingliang@huawei.com> Signed-off-by: N Yang Yingliang <yangyingliang@huawei.com>

scsi: hisi_sas: fix out of bound at debug_I_T_nexus_reset()
driver inclusion category: bugfix bugzilla: NA CVE: NA We found a memory out of bounds issue in hisi_sas_debug_I_T_nexus_reset(). This function needs to use sas_phy(struct asd_sas_phy) when handling the link reset of the directly attached environment. Since controller has 8 phys, only 8 sas_phy spaces are alloced when probe. At the beginning of this function, we get the sas_phy pointer of the corresponding phy by sas_phy = sas_ha->sas_phy[local_phy->number]. There is a problem here, because in the case of direct attached, local_phy->number can be guaranteed to be less than 8, but in the case of expander, local_phy->number is greater than 8, it will cause out of bounds when run "sas_phy = sas_ha->sas_phy[local_phy->number]". We fix this OOB problem by moving the problematic code into the code section for direct attached backplane. Feature or Bugfix:Bugfix Signed-off-by: N Jiaxing Luo <luojiaxing@huawei.com> Signed-off-by: N John Garry <john.garry@huawei.com> Signed-off-by: N luojiaxing <luojiaxing@huawei.com> Reviewed-by: N chenxiang <chenxiang66@hisilicon.com> Reviewed-by: N Yang Yingliang <yangyingliang@huawei.com> Signed-off-by: N Yang Yingliang <yangyingliang@huawei.com>
7ff9e14f · Jiaxing Luo · Xie XiuQi · e2f72567 · 7ff9e14f
隐藏空白更改
内联并排

Showing with 8 addition and 3 deletion

drivers/scsi/hisi_sas/hisi_sas_main.c drivers/scsi/hisi_sas/hisi_sas_main.c +8 -3

未找到文件。
--- a/drivers/scsi/hisi_sas/hisi_sas_main.c
+++ b/drivers/scsi/hisi_sas/hisi_sas_main.c
@@ -1769,12 +1769,13 @@ static int hisi_sas_debug_I_T_nexus_reset(struct domain_device *device)
 			      !dev_is_sata(device)) ? 1 : 0;
 	struct hisi_hba *hisi_hba = dev_to_hisi_hba(device);
 	struct sas_ha_struct *sas_ha = &hisi_hba->sha;
-	struct asd_sas_phy *sas_phy = sas_ha->sas_phy[local_phy->number];
-	struct hisi_sas_phy *phy = container_of(sas_phy,
-			struct hisi_sas_phy, sas_phy);
 	DECLARE_COMPLETION_ONSTACK(phyreset);

 	if (scsi_is_sas_phy_local(local_phy)) {
+		struct asd_sas_phy *sas_phy =
+			sas_ha->sas_phy[local_phy->number];
+		struct hisi_sas_phy *phy =
+			container_of(sas_phy, struct hisi_sas_phy, sas_phy);
 		phy->in_reset = 1;
 		phy->reset_completion = &phyreset;
 	}
@@ -1783,6 +1784,10 @@ static int hisi_sas_debug_I_T_nexus_reset(struct domain_device *device)
 	sas_put_local_phy(local_phy);

 	if (scsi_is_sas_phy_local(local_phy)) {
+		struct asd_sas_phy *sas_phy =
+			sas_ha->sas_phy[local_phy->number];
+		struct hisi_sas_phy *phy =
+			container_of(sas_phy, struct hisi_sas_phy, sas_phy);
 		/* Wait for I_T reset complete, time out after 2s */
 		int ret = wait_for_completion_timeout(&phyreset, 2 * HZ);
 		unsigned long flags;