4.15-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Shivasharan S <shivasharan.srikanteshw...@broadcom.com>


[ Upstream commit 7ada701d0d5e5c6d357e157a72b841db3e8d03f4 ]

Currently driver does not validate ldcount provided by firmware.  If the
value is invalid, fail RAID map validation accordingly.  This issue is
rare to hit in field and is fixed as part of code review.

Signed-off-by: Sumit Saxena <sumit.sax...@broadcom.com>
Signed-off-by: Shivasharan S <shivasharan.srikanteshw...@broadcom.com>
Signed-off-by: Martin K. Petersen <martin.peter...@oracle.com>
Signed-off-by: Sasha Levin <alexander.le...@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>
---
 drivers/scsi/megaraid/megaraid_sas_fp.c |   16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

--- a/drivers/scsi/megaraid/megaraid_sas_fp.c
+++ b/drivers/scsi/megaraid/megaraid_sas_fp.c
@@ -168,7 +168,7 @@ static struct MR_LD_SPAN *MR_LdSpanPtrGe
 /*
  * This function will Populate Driver Map using firmware raid map
  */
-void MR_PopulateDrvRaidMap(struct megasas_instance *instance)
+static int MR_PopulateDrvRaidMap(struct megasas_instance *instance)
 {
        struct fusion_context *fusion = instance->ctrl_context;
        struct MR_FW_RAID_MAP_ALL     *fw_map_old    = NULL;
@@ -259,7 +259,7 @@ void MR_PopulateDrvRaidMap(struct megasa
                ld_count = (u16)le16_to_cpu(fw_map_ext->ldCount);
                if (ld_count > MAX_LOGICAL_DRIVES_EXT) {
                        dev_dbg(&instance->pdev->dev, "megaraid_sas: LD count 
exposed in RAID map in not valid\n");
-                       return;
+                       return 1;
                }
 
                pDrvRaidMap->ldCount = (__le16)cpu_to_le16(ld_count);
@@ -285,6 +285,12 @@ void MR_PopulateDrvRaidMap(struct megasa
                        fusion->ld_map[(instance->map_id & 1)];
                pFwRaidMap = &fw_map_old->raidMap;
                ld_count = (u16)le32_to_cpu(pFwRaidMap->ldCount);
+               if (ld_count > MAX_LOGICAL_DRIVES) {
+                       dev_dbg(&instance->pdev->dev,
+                               "LD count exposed in RAID map in not valid\n");
+                       return 1;
+               }
+
                pDrvRaidMap->totalSize = pFwRaidMap->totalSize;
                pDrvRaidMap->ldCount = (__le16)cpu_to_le16(ld_count);
                pDrvRaidMap->fpPdIoTimeoutSec = pFwRaidMap->fpPdIoTimeoutSec;
@@ -300,6 +306,8 @@ void MR_PopulateDrvRaidMap(struct megasa
                        sizeof(struct MR_DEV_HANDLE_INFO) *
                        MAX_RAIDMAP_PHYSICAL_DEVICES);
        }
+
+       return 0;
 }
 
 /*
@@ -317,8 +325,8 @@ u8 MR_ValidateMapInfo(struct megasas_ins
        u16 ld;
        u32 expected_size;
 
-
-       MR_PopulateDrvRaidMap(instance);
+       if (MR_PopulateDrvRaidMap(instance))
+               return 0;
 
        fusion = instance->ctrl_context;
        drv_map = fusion->ld_drv_map[(instance->map_id & 1)];


Reply via email to