Re: [PATCH v1 04/10] mpi3mr: Fix NVMe page size caching for non-operational devices

All of lore.kernel.org
 help / color / mirror / Atom feed

From: sashiko-bot@kernel.org
To: "Ranjan Kumar" <ranjan.kumar@broadcom.com>
Cc: linux-scsi@vger.kernel.org
Subject: Re: [PATCH v1 04/10] mpi3mr: Fix NVMe page size caching for non-operational devices
Date: Fri, 26 Jun 2026 12:07:26 +0000	[thread overview]
Message-ID: <20260626120727.3CD5B1F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260626114109.43685-5-ranjan.kumar@broadcom.com>

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:

Pre-existing issues:
- [High] Unvalidated firmware-provided `page_size` used as a shift exponent can lead to Undefined Behavior and a divide-by-zero panic.
--

commit f5cd5ed48fb67b9c92c834f74f43b66abd174677
Author: Ranjan Kumar <ranjan.kumar@broadcom.com>

mpi3mr: Fix NVMe page size caching for non-operational devices

This commit updates the driver to populate the PCIe page size attribute
regardless of the device access status, ensuring management IOCTLs can be
processed for non-operational devices.

> diff --git a/drivers/scsi/mpi3mr/mpi3mr_os.c b/drivers/scsi/mpi3mr/mpi3mr_os.c
> --- a/drivers/scsi/mpi3mr/mpi3mr_os.c
> +++ b/drivers/scsi/mpi3mr/mpi3mr_os.c
> @@ -1354,12 +1354,10 @@ static void mpi3mr_update_tgtdev(struct mpi3mr_ioc *mrioc,
>  		tgtdev->dev_spec.pcie_inf.capb =
>  		    le32_to_cpu(pcieinf->capabilities);
>  		tgtdev->dev_spec.pcie_inf.mdts = MPI3MR_DEFAULT_MDTS;
> -		/* 2^12 = 4096 */
> -		tgtdev->dev_spec.pcie_inf.pgsz = 12;
> +		tgtdev->dev_spec.pcie_inf.pgsz = pcieinf->page_size;

[Severity: High]
This is a pre-existing issue, but does removing the NO_ERRORS check expose
the driver to undefined behavior if the firmware returns garbage data?

For devices in an error state, the firmware might return uninitialized
data like 0xFF for pcieinf->page_size. This unvalidated value is later
used in shift operations:

drivers/scsi/mpi3mr/mpi3mr_app.c:mpi3mr_build_nvme_prp() {
    ...
    dev_pgsz = 1 << (tgtdev->dev_spec.pcie_inf.pgsz);
    ...
}

and

drivers/scsi/mpi3mr/mpi3mr_os.c:mpi3mr_configure_nvme_dev() {
    ...
    lim->virt_boundary_mask = (1 << pgsz) - 1;
    ...
}

Since 1 is a 32-bit signed integer, evaluating 1 << pgsz with a value
of 31 or greater results in signed integer overflow or a shift out of
bounds. If the shift evaluates to 0 on some architectures, it could also
cause a divide-by-zero panic when computing MPI3MR_IOCTL_SGE_SIZE % dev_pgsz
later in the code.

Is it possible to add bounds checking for the page_size before assigning
it to tgtdev->dev_spec.pcie_inf.pgsz?

>  		if (dev_pg0->access_status == MPI3_DEVICE0_ASTATUS_NO_ERRORS) {
>  			tgtdev->dev_spec.pcie_inf.mdts =
>  			    le32_to_cpu(pcieinf->maximum_data_transfer_size);
> -			tgtdev->dev_spec.pcie_inf.pgsz = pcieinf->page_size;
>  			tgtdev->dev_spec.pcie_inf.reset_to =
>  			    max_t(u8, pcieinf->controller_reset_to,
>  			     MPI3MR_INTADMCMD_TIMEOUT);

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260626114109.43685-1-ranjan.kumar@broadcom.com?part=4

next prev parent reply	other threads:[~2026-06-26 12:07 UTC|newest]

Thread overview: 19+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-26 11:40 [PATCH v1 00/10] mpi3mr: Few Enhancements and minor fixes Ranjan Kumar
2026-06-26 11:41 ` [PATCH v1 01/10] mpi3mr: Skip device shutdown during unload per controller configuration Ranjan Kumar
2026-06-26 12:03   ` sashiko-bot
2026-06-26 11:41 ` [PATCH v1 02/10] mpi3mr: Update MPI Headers to revision 41 Ranjan Kumar
2026-06-26 12:07   ` sashiko-bot
2026-06-26 11:41 ` [PATCH v1 03/10] mpi3mr: Add early timestamp synchronization after driver load Ranjan Kumar
2026-06-26 11:41 ` [PATCH v1 04/10] mpi3mr: Fix NVMe page size caching for non-operational devices Ranjan Kumar
2026-06-26 12:07   ` sashiko-bot [this message]
2026-06-26 11:41 ` [PATCH v1 05/10] mpi3mr: Fix performance regression caused by extended IRQ poll sleep Ranjan Kumar
2026-06-26 12:02   ` sashiko-bot
2026-06-26 11:41 ` [PATCH v1 06/10] mpi3mr: Fix memory leak on operational queue creation failure Ranjan Kumar
2026-06-26 12:02   ` sashiko-bot
2026-06-26 11:41 ` [PATCH v1 07/10] mpi3mr: Fix firmware event reference leak during cleanup Ranjan Kumar
2026-06-26 12:03   ` sashiko-bot
2026-06-26 11:41 ` [PATCH v1 08/10] mpi3mr: Fix SAS port allocation and registration error handling Ranjan Kumar
2026-06-26 12:06   ` sashiko-bot
2026-06-26 11:41 ` [PATCH v1 09/10] mpi3mr: Fix SAS PHY cleanup in host addition error paths Ranjan Kumar
2026-06-26 12:16   ` sashiko-bot
2026-06-26 11:41 ` [PATCH v1 10/10] mpi3mr: Driver version update to 8.18.0.8.50 Ranjan Kumar

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260626120727.3CD5B1F000E9@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=linux-scsi@vger.kernel.org \
    --cc=ranjan.kumar@broadcom.com \
    --cc=sashiko-reviews@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.