Message ID | 20230110015538.201332-3-shinichiro.kawasaki@wdc.com |
---|---|
State | Superseded |
Headers | show |
Series | scsi: mpi3mr: fix issues found by KASAN | expand |
diff --git a/drivers/scsi/mpi3mr/mpi3mr_app.c b/drivers/scsi/mpi3mr/mpi3mr_app.c index 5bbfdff70570..239cb5e07b24 100644 --- a/drivers/scsi/mpi3mr/mpi3mr_app.c +++ b/drivers/scsi/mpi3mr/mpi3mr_app.c @@ -345,7 +345,8 @@ static long mpi3mr_get_all_tgt_info(struct mpi3mr_ioc *mrioc, memcpy(&alltgt_info->num_devices, &num_devices, sizeof(num_devices)); - usr_entrylen = (job->request_payload.payload_len - sizeof(u32)) / sizeof(*devmap_info); + usr_entrylen = (job->request_payload.payload_len - sizeof(*alltgt_info)) + / sizeof(*devmap_info); usr_entrylen *= sizeof(*devmap_info); min_entrylen = min(usr_entrylen, kern_entrylen);
The function mpi3mr_get_all_tgt_info calculates valid entry length in alltgt_info whose type is pointer to struct mpi3mr_device_map_info. However, the calculation assumes that the struct would have size of u32. This results in wrong entry length. Fix the calculation to use the size of *alltgt_info in place of u32. Fixes: f5e6d5a34376 ("scsi: mpi3mr: Add support for driver commands") Cc: stable@vger.kernel.org Signed-off-by: Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com> --- drivers/scsi/mpi3mr/mpi3mr_app.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)