Dan, The MPI structures are of variable length and can go up to a maximum of 128 bytes (a MPI frame size) and as MPI standard the variable length MPI structures are left out with the last element as a single dword array. Can we ignore the warning? If not we need to modify the MPI structure to have the NVMe_Command array to the maximum size of the frame (which is typically 128 but can change across hardware generations) Thanks Sathya -----Original Message----- From: mpt-fusionlinux.pdl@xxxxxxxxxxxx [mailto:mpt-fusionlinux.pdl@xxxxxxxxxxxx] On Behalf Of Dan Carpenter Sent: Tuesday, November 7, 2017 4:34 AM To: suganath-prabu.subramani@xxxxxxxxxxxx Cc: MPT-FusionLinux.pdl@xxxxxxxxxxxx; linux-scsi@xxxxxxxxxxxxxxx Subject: [bug report] scsi: mpt3sas: Added support for nvme encapsulated request message. Hello Suganath Prabu Subramani, The patch aff39e61218f: "scsi: mpt3sas: Added support for nvme encapsulated request message." from Oct 31, 2017, leads to the following static checker warning: drivers/scsi/mpt3sas/mpt3sas_base.c:1459 _base_build_nvme_prp() error: buffer overflow 'nvme_encap_request->NVMe_Command' 4 <= 24 drivers/scsi/mpt3sas/mpt3sas_base.c 1453 /* 1454 * Set pointers to PRP1 and PRP2, which are in the NVMe command. 1455 * PRP1 is located at a 24 byte offset from the start of the NVMe ^^^^^^^ The ->NVMe_Command is declared as a 4 byte array so this makes static checkers puzzled how there are more than 24 bytes in it. 1456 * command. Then set the current PRP entry pointer to PRP1. 1457 */ 1458 prp1_entry = (__le64 *)(nvme_encap_request->NVMe_Command + 1459 NVME_CMD_PRP1_OFFSET); 1460 prp2_entry = (__le64 *)(nvme_encap_request->NVMe_Command + 1461 NVME_CMD_PRP2_OFFSET); 1462 prp_entry = prp1_entry; 1463 /* 1464 * For the PRP entries, use the specially allocated buffer of 1465 * contiguous memory. 1466 */ 1467 prp_page = (__le64 *)mpt3sas_base_get_pcie_sgl(ioc, smid); 1468 prp_page_phys = (__le64 *)mpt3sas_base_get_pcie_sgl_dma(ioc, smid); 1469 regards, dan carpenter
