From: Colin Ian King <[email protected]>
The loop counter phy_no is a u8 where as the upper limit of the loop
is a u32. In the event that upper limit is greater than 255 we end
up with an infinite loop since phy_no will wrap around an never reach
upper loop limit. Fix this by making phy_no a u32.
Addresses-Coverity: ("Infinite loop")
Fixes: 20b09c2992fe ("[SCSI] mvsas: add support for 94xx; layout change; bug fixes")
Signed-off-by: Colin Ian King <[email protected]>
---
drivers/scsi/mvsas/mv_sas.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/scsi/mvsas/mv_sas.c b/drivers/scsi/mvsas/mv_sas.c
index a920eced92ec..9c03f23bde54 100644
--- a/drivers/scsi/mvsas/mv_sas.c
+++ b/drivers/scsi/mvsas/mv_sas.c
@@ -1940,7 +1940,7 @@ static void mvs_sig_time_out(struct timer_list *t)
{
struct mvs_phy *phy = from_timer(phy, t, timer);
struct mvs_info *mvi = phy->mvi;
- u8 phy_no;
+ u32 phy_no;
for (phy_no = 0; phy_no < mvi->chip->n_phy; phy_no++) {
if (&mvi->phy[phy_no] == phy) {
--
2.24.0
On Sun, 2020-01-26 at 15:17 +0000, Colin King wrote:
> From: Colin Ian King <[email protected]>
>
> The loop counter phy_no is a u8 where as the upper limit of the loop
> is a u32. In the event that upper limit is greater than 255 we end
> up with an infinite loop since phy_no will wrap around an never reach
> upper loop limit. Fix this by making phy_no a u32.
This value is limited to MVS_MAX_PHYS (i.e. 8) so I don't see where the
concern comes from. If we were ever to overrun that, we'd corrupt the
chip info structure, because it only allows MVS_MAX_PHYS for the amount
of space.
James