[PATCH] scsi: mpi3mr: fix out-of-bounds write in mpi3mr_bsg_build_sgl()

Next message: Chi Zhiling: "[PATCH] iomap: add dirty page control to iomap_zero_iter"
Previous message: Andy Shevchenko: "Re: [PATCH v3 7/9] iio: humidity: hid-sensor-humidity: use common device for devres"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Junrui Luo

Date: Sun May 10 2026 - 02:44:26 EST

In mpi3mr_bsg_process_mpt_cmds(), the RAIDMGMT_CMD path sets kern_buf_len
to the chain buffer size but leaves bsg_buf_len at the user-supplied
value. When bsg_buf_len exceeds kern_buf_len, the unsigned subtraction in
mpi3mr_bsg_build_sgl() underflows available_sges, leading to out-of-bounds
writes past the chain buffer. The analogous RAIDMGMT_RESP path already
clamps its buffer length via min(), but the RAIDMGMT_CMD path does not.

Fix by clamping bsg_buf_len to kern_buf_len.

Cc: stable@xxxxxxxxxxxxxxx
Fixes: fb231d7deffb ("scsi: mpi3mr: Support for preallocation of SGL BSG data buffers part-2")
Reported-by: Yuhao Jiang <danisjiang@xxxxxxxxx>
Signed-off-by: Junrui Luo <moonafterrain@xxxxxxxxxxx>
---
drivers/scsi/mpi3mr/mpi3mr_app.c | 1 +
1 file changed, 1 insertion(+)

diff --git a/drivers/scsi/mpi3mr/mpi3mr_app.c b/drivers/scsi/mpi3mr/mpi3mr_app.c
index 1353a8ff9c85..2e44a734a573 100644
--- a/drivers/scsi/mpi3mr/mpi3mr_app.c
+++ b/drivers/scsi/mpi3mr/mpi3mr_app.c
@@ -2628,6 +2628,7 @@ static long mpi3mr_bsg_process_mpt_cmds(struct bsg_job *job)
drv_buf_iter->kern_buf_len);
tmplen = min(drv_buf_iter->kern_buf_len,
drv_buf_iter->bsg_buf_len);
+ drv_buf_iter->bsg_buf_len = tmplen;
rmc_size = tmplen;
memcpy(drv_buf_iter->kern_buf, drv_buf_iter->bsg_buf, tmplen);
} else if (is_rmrb && (count == 1)) {

---
base-commit: 7aaa8047eafd0bd628065b15757d9b48c5f9c07d
change-id: 20260510-fixes-a23cfcd525fe

Best regards,
--
Junrui Luo <moonafterrain@xxxxxxxxxxx>