Re: [PATCH] scsi: megaraid_sas: validate dynamic RAID map descriptor element counts

Next message: Ben Dooks: "Re: [RESEND v4] ASoC: SOF: sof-audio: pcm_id is __le32"
Previous message: kernel test robot: "Re: [PATCH 2/2] watchdog: softdog_rs: add Rust software watchdog driver"
In reply to: Pengpeng Hou: "[PATCH] scsi: megaraid_sas: validate dynamic RAID map descriptor element counts"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: James Bottomley

Date: Tue Mar 24 2026 - 09:58:15 EST

On Tue, 2026-03-24 at 16:52 +0800, Pengpeng Hou wrote:
> MR_PopulateDrvRaidMap() uses raid_map_desc_elements from the
> firmware's dynamic RAID map to drive memcpy() sizes and array-copy
> loops into the driver-owned devHndlInfo[], ldTgtIdToLd[], arMapInfo[]
> and ldSpanMap[] buffers. Those destinations are fixed-size arrays,
> but the descriptor element counts are currently trusted without
> checking that they fit the corresponding driver map arrays.

The values for the array sizes come from the driver headers, which are
supposed to be in sync with the firmware. They're also pretty huge
(mostly 512) so what makes you think there's an actual problem here?

> Reject dynamic RAID map descriptors whose element counts exceed the
> destination array capacities before copying them into the driver map.

Even assuming there was some way the firmware and the driver could get
out of sync over the maximum, wouldn't the best thing we could do be to
warn and truncate?

Regards,

James