[PATCH] scsi: mvsas: ensure loop counter phy_no does not wrap and cause an infinite loop

[PATCH] scsi: mvsas: ensure loop counter phy_no does not wrap and cause an infinite loop

[Colin King]

From: Colin Ian King <colin.king@canonical.com>

The loop counter phy_no is a u8 where as the upper limit of the loop
is a u32. In the event that upper limit is greater than 255 we end
up with an infinite loop since phy_no will wrap around an never reach
upper loop limit. Fix this by making phy_no a u32.

Addresses-Coverity: ("Infinite loop")
Fixes: 20b09c2992fe ("[SCSI] mvsas: add support for 94xx; layout change; bug fixes")
Signed-off-by: Colin Ian King <colin.king@canonical.com>
---
 drivers/scsi/mvsas/mv_sas.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/scsi/mvsas/mv_sas.c b/drivers/scsi/mvsas/mv_sas.c
index a920eced92ec..9c03f23bde54 100644
--- a/drivers/scsi/mvsas/mv_sas.c
+++ b/drivers/scsi/mvsas/mv_sas.c
@@ -1940,7 +1940,7 @@ static void mvs_sig_time_out(struct timer_list *t)
 {
 	struct mvs_phy *phy = from_timer(phy, t, timer);
 	struct mvs_info *mvi = phy->mvi;
-	u8 phy_no;
+	u32 phy_no;
 
 	for (phy_no = 0; phy_no < mvi->chip->n_phy; phy_no++) {
 		if (&mvi->phy[phy_no] = phy) {
-- 
2.24.0

Re: [PATCH] scsi: mvsas: ensure loop counter phy_no does not wrap and cause an infinite loop

[James Bottomley]

On Sun, 2020-01-26 at 15:17 +0000, Colin King wrote:
> From: Colin Ian King <colin.king@canonical.com>
> 
> The loop counter phy_no is a u8 where as the upper limit of the loop
> is a u32. In the event that upper limit is greater than 255 we end
> up with an infinite loop since phy_no will wrap around an never reach
> upper loop limit. Fix this by making phy_no a u32.

This value is limited to MVS_MAX_PHYS (i.e. 8) so I don't see where the
concern comes from.  If we were ever to overrun that, we'd corrupt the
chip info structure, because it only allows MVS_MAX_PHYS for the amount
of space.

James