[PATCH 01/12] lpfc: Fix kasan slab-out-of-bounds error in lpfc_unreg_login

All of lore.kernel.org
 help / color / mirror / Atom feed

From: James Smart <jsmart2021@gmail.com>
To: linux-scsi@vger.kernel.org
Cc: James Smart <jsmart2021@gmail.com>,
	Dick Kennedy <dick.kennedy@broadcom.com>
Subject: [PATCH 01/12] lpfc: Fix kasan slab-out-of-bounds error in lpfc_unreg_login
Date: Sun, 22 Mar 2020 11:12:53 -0700	[thread overview]
Message-ID: <20200322181304.37655-2-jsmart2021@gmail.com> (raw)
In-Reply-To: <20200322181304.37655-1-jsmart2021@gmail.com>

The following kasan bug was called out:
 BUG: KASAN: slab-out-of-bounds in lpfc_unreg_login+0x7c/0xc0 [lpfc]
 Read of size 2 at addr ffff889fc7c50a22 by task lpfc_worker_3/6676
 ...
 Call Trace:
 dump_stack+0x96/0xe0
 ? lpfc_unreg_login+0x7c/0xc0 [lpfc]
 print_address_description.constprop.6+0x1b/0x220
 ? lpfc_unreg_login+0x7c/0xc0 [lpfc]
 ? lpfc_unreg_login+0x7c/0xc0 [lpfc]
 __kasan_report.cold.9+0x37/0x7c
 ? lpfc_unreg_login+0x7c/0xc0 [lpfc]
 kasan_report+0xe/0x20
 lpfc_unreg_login+0x7c/0xc0 [lpfc]
 lpfc_sli_def_mbox_cmpl+0x334/0x430 [lpfc]
 ...

When processing the completion of a "Reg Rpi" login mailbox command in
lpfc_sli_def_mbox_cmpl, a call may be made to lpfc_unreg_login. The vpi
is extracted from the completing mailbox context and passed as an input
for the next. However, the vpi stored in the mailbox command context is
an absolute vpi, which for SLI4 represents both base + offset.  When used
with a non-zero base component, (function id > 0) this results in an
out-of-range access beyond the allocated  phba->vpi_ids array.

Fix by subtracting the function's base value to get an accurate vpi number.

Signed-off-by: Dick Kennedy <dick.kennedy@broadcom.com>
Signed-off-by: James Smart <jsmart2021@gmail.com>
---
 drivers/scsi/lpfc/lpfc_sli.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/scsi/lpfc/lpfc_sli.c b/drivers/scsi/lpfc/lpfc_sli.c
index 0b26b5c0527e..4fc14bebb76e 100644
--- a/drivers/scsi/lpfc/lpfc_sli.c
+++ b/drivers/scsi/lpfc/lpfc_sli.c
@@ -2511,6 +2511,8 @@ lpfc_sli_def_mbox_cmpl(struct lpfc_hba *phba, LPFC_MBOXQ_t *pmb)
 	    !pmb->u.mb.mbxStatus) {
 		rpi = pmb->u.mb.un.varWords[0];
 		vpi = pmb->u.mb.un.varRegLogin.vpi;
+		if (phba->sli_rev == LPFC_SLI_REV4)
+			vpi -= phba->sli4_hba.max_cfg_param.vpi_base;
 		lpfc_unreg_login(phba, vpi, rpi, pmb);
 		pmb->vport = vport;
 		pmb->mbox_cmpl = lpfc_sli_def_mbox_cmpl;
-- 
2.16.4

next prev parent reply	other threads:[~2020-03-22 18:13 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-03-22 18:12 [PATCH 00/12] lpfc: Update lpfc to revision 12.8.0.0 James Smart
2020-03-22 18:12 ` James Smart [this message]
2020-03-22 18:12 ` [PATCH 02/12] lpfc: Fix lockdep error - register non-static key James Smart
2020-03-22 18:12 ` [PATCH 03/12] lpfc: Fix lpfc overwrite of sg_cnt field in nvmefc_tgt_fcp_req James Smart
2020-03-22 18:12 ` [PATCH 04/12] lpfc: Fix scsi host template for SLI3 vports James Smart
2020-03-22 18:12 ` [PATCH 05/12] lpfc: Fix crash after handling a pci error James Smart
2020-03-22 18:12 ` [PATCH 06/12] lpfc: Fix update of wq consumer index in lpfc_sli4_wq_release James Smart
2020-03-22 18:12 ` [PATCH 07/12] lpfc: Fix crash in target side cable pulls hitting WAIT_FOR_UNREG James Smart
2020-03-22 18:13 ` [PATCH 08/12] lpfc: Fix erroneous cpu limit of 128 on I/O statistics James Smart
2020-03-22 18:13 ` [PATCH 09/12] lpfc: Change default SCSI LUN QD to 64 James Smart
2020-03-23 11:05   ` Daniel Wagner
2020-03-23 16:18     ` James Smart
2020-03-22 18:13 ` [PATCH 10/12] lpfc: Make debugfs ktime stats generic for NVME and SCSI James Smart
2020-03-22 18:13 ` [PATCH 11/12] lpfc: Remove prototype FIPS/DSS options from SLI-3 James Smart
2020-03-22 18:13 ` [PATCH 12/12] lpfc: Update lpfc version to 12.8.0.0 James Smart
2020-03-27  3:17 ` [PATCH 00/12] lpfc: Update lpfc to revision 12.8.0.0 Martin K. Petersen

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:0b26b5c0527 dfblob:4fc14bebb76 )
 OR (
bs:"[PATCH 01/12] lpfc: Fix kasan slab-out-of-bounds error in lpfc_unreg_login" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20200322181304.37655-2-jsmart2021@gmail.com \
    --to=jsmart2021@gmail.com \
    --cc=dick.kennedy@broadcom.com \
    --cc=linux-scsi@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.