Message ID | 5c125b2f-92dd-412b-9b6f-fc3a3207bd60@moroto.mountain (mailing list archive) |
---|---|
State | Accepted |
Headers | show |
Series | scsi: qla2xxx: Fix off by one in qla_edif_app_getstats() | expand |
> On Apr 2, 2024, at 02:56, Dan Carpenter <dan.carpenter@linaro.org> wrote: > > The app_reply->elem[] array is allocated earlier in this function and it > has app_req.num_ports elements. Thus this > comparison needs to be >= > to prevent memory corruption. > > Fixes: 7878f22a2e03 ("scsi: qla2xxx: edif: Add getfcinfo and statistic bsgs") > Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org> > --- > drivers/scsi/qla2xxx/qla_edif.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/scsi/qla2xxx/qla_edif.c b/drivers/scsi/qla2xxx/qla_edif.c > index 26e6b3e3af43..dcde55c8ee5d 100644 > --- a/drivers/scsi/qla2xxx/qla_edif.c > +++ b/drivers/scsi/qla2xxx/qla_edif.c > @@ -1100,7 +1100,7 @@ qla_edif_app_getstats(scsi_qla_host_t *vha, struct bsg_job *bsg_job) > > list_for_each_entry_safe(fcport, tf, &vha->vp_fcports, list) { > if (fcport->edif.enable) { > - if (pcnt > app_req.num_ports) > + if (pcnt >= app_req.num_ports) > break; > > app_reply->elem[pcnt].rekey_count = > -- > 2.43.0 > Looks Good. Reviewed-by: Himanshu Madhani <himanshu.madhani@oracle.com <mailto:himanshu.madhani@oracle.com>>
On 4/2/24 02:56, Dan Carpenter wrote: > The app_reply->elem[] array is allocated earlier in this function and it > has app_req.num_ports elements. Thus this > comparison needs to be >= > to prevent memory corruption. > > Fixes: 7878f22a2e03 ("scsi: qla2xxx: edif: Add getfcinfo and statistic bsgs") > Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org> > --- > drivers/scsi/qla2xxx/qla_edif.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/scsi/qla2xxx/qla_edif.c b/drivers/scsi/qla2xxx/qla_edif.c > index 26e6b3e3af43..dcde55c8ee5d 100644 > --- a/drivers/scsi/qla2xxx/qla_edif.c > +++ b/drivers/scsi/qla2xxx/qla_edif.c > @@ -1100,7 +1100,7 @@ qla_edif_app_getstats(scsi_qla_host_t *vha, struct bsg_job *bsg_job) > > list_for_each_entry_safe(fcport, tf, &vha->vp_fcports, list) { > if (fcport->edif.enable) { > - if (pcnt > app_req.num_ports) > + if (pcnt >= app_req.num_ports) > break; > > app_reply->elem[pcnt].rekey_count = Looks good. Reviewed-by: Himanshu Madhani <himanshu.madhani@oracle.com>
On Tue, 02 Apr 2024 12:56:54 +0300, Dan Carpenter wrote: > The app_reply->elem[] array is allocated earlier in this function and it > has app_req.num_ports elements. Thus this > comparison needs to be >= > to prevent memory corruption. > > Applied to 6.9/scsi-fixes, thanks! [1/1] scsi: qla2xxx: Fix off by one in qla_edif_app_getstats() https://git.kernel.org/mkp/scsi/c/4406e4176f47
diff --git a/drivers/scsi/qla2xxx/qla_edif.c b/drivers/scsi/qla2xxx/qla_edif.c index 26e6b3e3af43..dcde55c8ee5d 100644 --- a/drivers/scsi/qla2xxx/qla_edif.c +++ b/drivers/scsi/qla2xxx/qla_edif.c @@ -1100,7 +1100,7 @@ qla_edif_app_getstats(scsi_qla_host_t *vha, struct bsg_job *bsg_job) list_for_each_entry_safe(fcport, tf, &vha->vp_fcports, list) { if (fcport->edif.enable) { - if (pcnt > app_req.num_ports) + if (pcnt >= app_req.num_ports) break; app_reply->elem[pcnt].rekey_count =
The app_reply->elem[] array is allocated earlier in this function and it has app_req.num_ports elements. Thus this > comparison needs to be >= to prevent memory corruption. Fixes: 7878f22a2e03 ("scsi: qla2xxx: edif: Add getfcinfo and statistic bsgs") Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org> --- drivers/scsi/qla2xxx/qla_edif.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)