[PATCH] scsi: mptfusion: Fix array out of bounds error
From: Alexey Gladkov
Date: Tue Jun 16 2026 - 08:51:14 EST
The driver retrieves the number of ports from the hardware. However, the
driver can handle no more than two such ports. It uses a fixed array for
them.
We use NumberOfPorts without checking, and maybe on actual hardware
there really are never more than two ports, but QEMU passes 8 [1][2].
[1] https://gitlab.com/qemu-project/qemu/-/blob/master/hw/scsi/mptsas.h?ref_type=heads#L7
[2] https://gitlab.com/qemu-project/qemu/-/blob/master/hw/scsi/mptsas.c?ref_type=heads#L619
Signed-off-by: Alexey Gladkov <legion@xxxxxxxxxx>
---
drivers/message/fusion/mptbase.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/message/fusion/mptbase.c b/drivers/message/fusion/mptbase.c
index 3a431ffd3e2e..05bd556bb938 100644
--- a/drivers/message/fusion/mptbase.c
+++ b/drivers/message/fusion/mptbase.c
@@ -3257,6 +3257,8 @@ GetPortFacts(MPT_ADAPTER *ioc, int portnum, int sleepFlag)
return -4;
}
+ BUG_ON(portnum < 0 || portnum >= ARRAY_SIZE(ioc->pfacts));
+
pfacts = &ioc->pfacts[portnum];
/* Destination (reply area)... */
@@ -6701,6 +6703,7 @@ static int mpt_iocinfo_proc_show(struct seq_file *m, void *v)
char expVer[32];
int sz;
int p;
+ int numberOfPorts = MIN(ioc->facts.NumberOfPorts, ARRAY_SIZE(ioc->pfacts));
mpt_get_fw_exp_ver(expVer, ioc);
@@ -6755,7 +6758,7 @@ static int mpt_iocinfo_proc_show(struct seq_file *m, void *v)
seq_printf(m, " MaxBuses = %d\n", ioc->facts.MaxBuses);
/* per-port info */
- for (p=0; p < ioc->facts.NumberOfPorts; p++) {
+ for (p = 0; p < numberOfPorts; p++) {
seq_printf(m, " PortNumber = %d (of %d)\n",
p+1,
ioc->facts.NumberOfPorts);
--
2.54.0