scsi: hpsa: Correct rare oob condition

There are some rare conditions where a spare is first in the device list
causing an array out-of-bounds condition.

Link: https://lore.kernel.org/r/159528197176.24772.14659026352708896249.stgit@brunhilda
Reviewed-by: Scott Teel <scott.teel@microsemi.com>
Reviewed-by: Scott Benesh <scott.benesh@microsemi.com>
Reviewed-by: Kevin Barnett <kevin.barnett@microsemi.com>
Signed-off-by: Don Brace <don.brace@microsemi.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>

diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
index 81d0414..9b1edc5 100644 (file)
--- a/drivers/scsi/hpsa.c
+++ b/drivers/scsi/hpsa.c
@@ -3443,9 +3443,14 @@ static void hpsa_get_enclosure_info(struct ctlr_info *h,
        struct ErrorInfo *ei = NULL;
        struct bmic_sense_storage_box_params *bssbp = NULL;
        struct bmic_identify_physical_device *id_phys = NULL;
-       struct ext_report_lun_entry *rle = &rlep->LUN[rle_index];
+       struct ext_report_lun_entry *rle;
        u16 bmic_device_index = 0;
 
+       if (rle_index < 0 || rle_index >= HPSA_MAX_PHYS_LUN)
+               return;
+
+       rle = &rlep->LUN[rle_index];
+
        encl_dev->eli =
                hpsa_get_enclosure_logical_identifier(h, scsi3addr);
 
@@ -4174,6 +4179,9 @@ static void hpsa_get_ioaccel_drive_info(struct ctlr_info *h,
        int rc;
        struct ext_report_lun_entry *rle;
 
+       if (rle_index < 0 || rle_index >= HPSA_MAX_PHYS_LUN)
+               return;
+
        rle = &rlep->LUN[rle_index];
 
        dev->ioaccel_handle = rle->ioaccel_handle;
@@ -4198,7 +4206,12 @@ static void hpsa_get_path_info(struct hpsa_scsi_dev_t *this_device,
        struct ReportExtendedLUNdata *rlep, int rle_index,
        struct bmic_identify_physical_device *id_phys)
 {
-       struct ext_report_lun_entry *rle = &rlep->LUN[rle_index];
+       struct ext_report_lun_entry *rle;
+
+       if (rle_index < 0 || rle_index >= HPSA_MAX_PHYS_LUN)
+               return;
+
+       rle = &rlep->LUN[rle_index];
 
        if ((rle->device_flags & 0x08) && this_device->ioaccel_handle)
                this_device->hba_ioaccel_enabled = 1;
@@ -4420,7 +4433,8 @@ static void hpsa_update_scsi_devices(struct ctlr_info *h)
                /*
                 * Skip over some devices such as a spare.
                 */
-               if (!tmpdevice->external && physical_device) {
+               if (phys_dev_index >= 0 && !tmpdevice->external &&
+                       physical_device) {
                        skip_device = hpsa_skip_device(h, lunaddrbytes,
                                        &physdev_list->LUN[phys_dev_index]);
                        if (skip_device)