Re: [PATCH] scsi: NCR5380: Prevent potential out-of-bounds read in spi_print_msg()

[kernel test robot <lkp@intel.com>]

Hi Rand,

kernel test robot noticed the following build errors:

[auto build test ERROR on jejb-scsi/for-next]
[also build test ERROR on mkp-scsi/for-next linus/master v6.15-rc5 next-20250506]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]

url:    https://github.com/intel-lab-lkp/linux/commits/Rand-Deeb/scsi-NCR5380-Prevent-potential-out-of-bounds-read-in-spi_print_msg/20250430-200221
base:   https://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi.git for-next
patch link:    https://lore.kernel.org/r/20250430115926.6335-1-rand.sec96%40gmail.com
patch subject: [PATCH] scsi: NCR5380: Prevent potential out-of-bounds read in spi_print_msg()
config: alpha-randconfig-r072-20250501 (https://download.01.org/0day-ci/archive/20250507/202505071504.SVF8vs1h-lkp@intel.com/config)
compiler: alpha-linux-gcc (GCC) 11.5.0
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20250507/202505071504.SVF8vs1h-lkp@intel.com/reproduce)

If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202505071504.SVF8vs1h-lkp@intel.com/

All errors (new ones prefixed by >>):

   In file included from drivers/scsi/g_NCR5380.c:691:
   drivers/scsi/NCR5380.c: In function 'NCR5380_reselect':
>> drivers/scsi/NCR5380.c:2107:51: error: 'len' undeclared (first use in this function); did you mean 'lun'?
    2107 |                 if (msg[0] == EXTENDED_MESSAGE && len >= 3) {
         |                                                   ^~~
         |                                                   lun
   drivers/scsi/NCR5380.c:2107:51: note: each undeclared identifier is reported only once for each function it appears in


vim +2107 drivers/scsi/NCR5380.c

  2099	
  2100		if (!(msg[0] & 0x80)) {
  2101			shost_printk(KERN_ERR, instance, "expecting IDENTIFY message, got ");
  2102	
  2103			/*
  2104			 * Defensive check before calling spi_print_msg():
  2105			 * Avoid buffer overrun if msg claims extended length.
  2106			 */
> 2107			if (msg[0] == EXTENDED_MESSAGE && len >= 3) {
  2108				int expected_len = 2 + msg[1];
  2109	
  2110				if (expected_len == 2)
  2111					expected_len += 256;
  2112	
  2113				if (len >= expected_len)
  2114					spi_print_msg(msg);
  2115				else
  2116					pr_warn("spi_print_msg: skipping malformed extended message (len=%d, expected=%d)\n",
  2117						len, expected_len);
  2118			} else {
  2119				spi_print_msg(msg);
  2120			}
  2121	
  2122			printk("\n");
  2123			do_abort(instance, 0);
  2124			return;
  2125		}
  2126		lun = msg[0] & 0x07;
  2127	
  2128		/*
  2129		 * We need to add code for SCSI-II to track which devices have
  2130		 * I_T_L_Q nexuses established, and which have simple I_T_L
  2131		 * nexuses so we can chose to do additional data transfer.
  2132		 */
  2133	
  2134		/*
  2135		 * Find the command corresponding to the I_T_L or I_T_L_Q  nexus we
  2136		 * just reestablished, and remove it from the disconnected queue.
  2137		 */
  2138	
  2139		tmp = NULL;
  2140		list_for_each_entry(ncmd, &hostdata->disconnected, list) {
  2141			struct scsi_cmnd *cmd = NCR5380_to_scmd(ncmd);
  2142	
  2143			if (target_mask == (1 << scmd_id(cmd)) &&
  2144			    lun == (u8)cmd->device->lun) {
  2145				list_del(&ncmd->list);
  2146				tmp = cmd;
  2147				break;
  2148			}
  2149		}
  2150	
  2151		if (tmp) {
  2152			dsprintk(NDEBUG_RESELECTION | NDEBUG_QUEUES, instance,
  2153			         "reselect: removed %p from disconnected queue\n", tmp);
  2154		} else {
  2155			int target = ffs(target_mask) - 1;
  2156	
  2157			shost_printk(KERN_ERR, instance, "target bitmask 0x%02x lun %d not in disconnected queue.\n",
  2158			             target_mask, lun);
  2159			/*
  2160			 * Since we have an established nexus that we can't do anything
  2161			 * with, we must abort it.
  2162			 */
  2163			if (do_abort(instance, 0) == 0)
  2164				hostdata->busy[target] &= ~(1 << lun);
  2165			return;
  2166		}
  2167	

-- 
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki