| Message ID | 20210407135840.494747-1-colin.king@canonical.com |
|---|---|
| State | New |
| Headers | show |
| Series | [next] scsi: pm80xx: Fix potential infinite loop | expand |
On 07/04/2021 15:58, Colin King wrote: > From: Colin Ian King <colin.king@canonical.com> > > The for-loop iterates with a u8 loop counter i and compares this > with the loop upper limit of pm8001_ha->max_q_num which is a u32 > type. There is a potential infinite loop if pm8001_ha->max_q_num > is larger than the u8 loop counter. Fix this by making the loop > counter the same type as pm8001_ha->max_q_num. Heh, coincidentally I've read your blog post on this issue today. > Addresses-Coverity: ("Infinite loop") > Fixes: 65df7d1986a1 ("scsi: pm80xx: Fix chip initialization failure") AFAICS this still is in Martin's tree and not yet in Linus' tree. Anyways, looks good. Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
Hi Colin! > The for-loop iterates with a u8 loop counter i and compares this with > the loop upper limit of pm8001_ha->max_q_num which is a u32 type. > There is a potential infinite loop if pm8001_ha->max_q_num is larger > than the u8 loop counter. Fix this by making the loop counter the same > type as pm8001_ha->max_q_num. No particular objections to the patch for future-proofing. However, as far as I can tell max_q_num is capped at 64 (PM8001_MAX_MSIX_VEC).
On Wed, Apr 7, 2021 at 7:18 PM Martin K. Petersen <martin.petersen@oracle.com> wrote: > > > Hi Colin! > > > The for-loop iterates with a u8 loop counter i and compares this with > > the loop upper limit of pm8001_ha->max_q_num which is a u32 type. > > There is a potential infinite loop if pm8001_ha->max_q_num is larger > > than the u8 loop counter. Fix this by making the loop counter the same > > type as pm8001_ha->max_q_num. > > No particular objections to the patch for future-proofing. However, as > far as I can tell max_q_num is capped at 64 (PM8001_MAX_MSIX_VEC). Exactly. > > -- > Martin K. Petersen Oracle Linux Engineering
Colin, > The for-loop iterates with a u8 loop counter i and compares this with > the loop upper limit of pm8001_ha->max_q_num which is a u32 type. > There is a potential infinite loop if pm8001_ha->max_q_num is larger > than the u8 loop counter. Fix this by making the loop counter the same > type as pm8001_ha->max_q_num. Applied to 5.13/scsi-staging, thanks! -- Martin K. Petersen Oracle Linux Engineering
On Wed, 7 Apr 2021 14:58:40 +0100, Colin King wrote: > The for-loop iterates with a u8 loop counter i and compares this > with the loop upper limit of pm8001_ha->max_q_num which is a u32 > type. There is a potential infinite loop if pm8001_ha->max_q_num > is larger than the u8 loop counter. Fix this by making the loop > counter the same type as pm8001_ha->max_q_num. Applied to 5.13/scsi-queue, thanks! [1/1] scsi: pm80xx: Fix potential infinite loop https://git.kernel.org/mkp/scsi/c/40fa7394a1ad -- Martin K. Petersen Oracle Linux Engineering
diff --git a/drivers/scsi/pm8001/pm8001_hwi.c b/drivers/scsi/pm8001/pm8001_hwi.c index d048455f4941..16edd84e7130 100644 --- a/drivers/scsi/pm8001/pm8001_hwi.c +++ b/drivers/scsi/pm8001/pm8001_hwi.c @@ -643,7 +643,7 @@ static void init_pci_device_addresses(struct pm8001_hba_info *pm8001_ha) */ static int pm8001_chip_init(struct pm8001_hba_info *pm8001_ha) { - u8 i = 0; + u32 i = 0; u16 deviceid; pci_read_config_word(pm8001_ha->pdev, PCI_DEVICE_ID, &deviceid); /* 8081 controllers need BAR shift to access MPI space