[PATCH] scsi: mpi3mr: bounds-check phy_number in mpi3mr_update_links()

[Junrui Luo]

mpi3mr_update_links() dereferences mr_sas_node->phy[phy_number] and
writes attached_handle without verifying that phy_number is within the
parent node's allocated phy array. Two callers feed phy_number from
firmware-supplied fields: mpi3mr_sastopochg_evt_bh() passes
(event_data->start_phy_num + i) from the SAS topology change event,
and mpi3mr_report_tgtdev_to_sas_transport() passes
tgtdev->dev_spec.sas_sata_inf.phy_id from firmware device information.

Since num_phys is a u8, a stray phy_number can reach 255 and index
past the kzalloc_objs()-sized phy[] array, leading to an out-of-bounds.

The sibling mpt3sas driver guards at the topology-change caller by
discarding entries whose phy_number exceeds max_phys. Apply the
equivalent check inside mpi3mr_update_links().

Fixes: 42fc9fee116f ("scsi: mpi3mr: Add helper functions to manage device's port")
Reported-by: Yuhao Jiang <danisjiang@xxxxxxxxx>
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Junrui Luo <moonafterrain@xxxxxxxxxxx>
---
 drivers/scsi/mpi3mr/mpi3mr_transport.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/drivers/scsi/mpi3mr/mpi3mr_transport.c b/drivers/scsi/mpi3mr/mpi3mr_transport.c
index 240f67a8e2e3..dd9d530de6f9 100644
--- a/drivers/scsi/mpi3mr/mpi3mr_transport.c
+++ b/drivers/scsi/mpi3mr/mpi3mr_transport.c
@@ -1090,6 +1090,11 @@ void mpi3mr_update_links(struct mpi3mr_ioc *mrioc,
 		return;
 	}
 
+	if (phy_number >= mr_sas_node->num_phys) {
+		spin_unlock_irqrestore(&mrioc->sas_node_lock, flags);
+		return;
+	}
+
 	mr_sas_phy = &mr_sas_node->phy[phy_number];
 	mr_sas_phy->attached_handle = handle;
 	spin_unlock_irqrestore(&mrioc->sas_node_lock, flags);

---
base-commit: 7aaa8047eafd0bd628065b15757d9b48c5f9c07d
change-id: 20260419-fixes-dc5748010b4f

Best regards,
-- 
Junrui Luo <moonafterrain@xxxxxxxxxxx>