From: sashiko-bot@kernel.org
To: "Michael Bommarito" <michael.bommarito@gmail.com>
Cc: linux-scsi@vger.kernel.org
Subject: Re: [PATCH 2/2] scsi: lpfc: add KUnit coverage for EDC descriptor bounds
Date: Fri, 10 Jul 2026 02:43:49 +0000 [thread overview]
Message-ID: <20260710024349.ACECB1F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260710022932.3741311-3-michael.bommarito@gmail.com>
Thank you for your contribution! Sashiko AI review found 3 potential issue(s) to consider:
New issues:
- [Medium] The KUnit test leaks memory pools if an assertion fails because cleanup is deferred instead of registered with KUnit.
- [Medium] The KUnit test uses an uninitialized `ndlp` node, causing the test to silently abort early and mask a missing mock function crash.
Pre-existing issues:
- [High] Missing bounds check for unknown EDC diagnostic descriptors allows an underflow of `bytes_remain`, leading to an out-of-bounds memory read or infinite loop.
--
--- Patch [2]: [PATCH 2/2] scsi: lpfc: add KUnit coverage for EDC descriptor bounds ---
commit dd6d0b3cfc06c72b1e47a15c2af79c7992a6552f
Author: Michael Bommarito <michael.bommarito@gmail.com>
scsi: lpfc: add KUnit coverage for EDC descriptor bounds
This patch adds KUnit coverage for lpfc_els_rcv_edc() descriptor-list bounds.
The tests live in lpfc_els.c so they can drive the real static EDC parser
without exporting test-only symbols.
> diff --git a/drivers/scsi/lpfc/lpfc_els.c b/drivers/scsi/lpfc/lpfc_els.c
> index 0023524528d93..3193a2aaac2f1 100644
> --- a/drivers/scsi/lpfc/lpfc_els.c
> +++ b/drivers/scsi/lpfc/lpfc_els.c
> @@ -12592,3 +12592,157 @@ lpfc_cmpl_els_uvem(struct lpfc_hba *phba, struct lpfc_iocbq *icmdiocb,
[ ... ]
> +static void lpfc_edc_kunit_setup_hba(struct kunit *test,
> + struct lpfc_hba *phba,
> + struct lpfc_vport *vport)
> +{
[ ... ]
> + phba->lpfc_mbuf_pool = dma_pool_create("lpfc_edc_mbuf", kdev,
> + LPFC_BPL_SIZE, 8, 0);
> + KUNIT_ASSERT_NOT_NULL(test, phba->lpfc_mbuf_pool);
> + phba->mbox_mem_pool = mempool_create_kmalloc_pool(1,
> + sizeof(LPFC_MBOXQ_t));
> + KUNIT_ASSERT_NOT_NULL(test, phba->mbox_mem_pool);
> +}
[Severity: Medium]
If any KUnit assertion fails later in lpfc_edc_kunit_run() (such as the
allocation check for cmd_dmabuf->virt), the test will abort immediately
without executing lpfc_edc_kunit_teardown_hba(). Will this leak the dma
and memory pools created here? Should these be registered for automatic
cleanup with KUnit instead?
[ ... ]
> +static void lpfc_edc_kunit_run(struct kunit *test, bool malformed)
> +{
> + struct lpfc_hba *phba;
> + struct lpfc_vport *vport;
> + struct lpfc_nodelist *ndlp;
> + struct lpfc_iocbq *cmdiocb;
> + struct lpfc_dmabuf *cmd_dmabuf;
> + struct fc_els_edc *edc;
> + struct fc_tlv_desc *tlv;
> + size_t payload_len;
> +
> + phba = kunit_kzalloc(test, sizeof(*phba), GFP_KERNEL);
> + vport = kunit_kzalloc(test, sizeof(*vport), GFP_KERNEL);
> + ndlp = kunit_kzalloc(test, sizeof(*ndlp), GFP_KERNEL);
[Severity: Medium]
Is the kref for this node list left as zero by the zero-allocation?
When lpfc_els_rcv_edc() calls lpfc_issue_els_edc_rsp() later in this path,
it attempts to take a reference via lpfc_nlp_get(ndlp). Because kref is
zero, won't this fail and return NULL, causing the function to silently abort
and skip sending the response?
This early abort would mask a potential crash, as phba->__lpfc_sli_issue_iocb
does not appear to be stubbed in the lpfc_edc_kunit_setup_hba() mock setup.
> + cmdiocb = kunit_kzalloc(test, sizeof(*cmdiocb), GFP_KERNEL);
> + cmd_dmabuf = kunit_kzalloc(test, sizeof(*cmd_dmabuf), GFP_KERNEL);
> + KUNIT_ASSERT_NOT_NULL(test, phba);
> + KUNIT_ASSERT_NOT_NULL(test, vport);
> + KUNIT_ASSERT_NOT_NULL(test, ndlp);
> + KUNIT_ASSERT_NOT_NULL(test, cmdiocb);
> + KUNIT_ASSERT_NOT_NULL(test, cmd_dmabuf);
[ ... ]
> + cmdiocb->cmd_dmabuf = cmd_dmabuf;
> + lpfc_els_rcv_edc(vport, cmdiocb, ndlp, payload_len);
[Severity: High]
This is a pre-existing issue, but missing bounds checks for unknown EDC
diagnostic descriptors in lpfc_els_rcv_edc() could allow an underflow of
bytes_remain.
In the target function:
lpfc_els.c:lpfc_els_rcv_edc() {
...
while (bytes_remain) {
...
switch (dtag) {
...
default:
dtag_nm = lpfc_get_tlv_dtag_nm(dtag);
lpfc_printf_log(phba, KERN_WARNING, ...);
}
bytes_remain -= FC_TLV_DESC_SZ_FROM_LENGTH(tlv);
tlv = fc_tlv_next_desc(tlv);
...
}
If a remote FC node sends an unknown descriptor tag whose length is maliciously
crafted to be larger than the remaining payload, won't bytes_remain underflow
to a huge value since there is no bounds check in the default switch case?
This could bypass the loop termination and allow an out-of-bounds read on the
next iteration.
> +
> + KUNIT_EXPECT_TRUE(test, true);
> + lpfc_edc_kunit_teardown_hba(phba);
> +}
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260710022932.3741311-1-michael.bommarito@gmail.com?part=2
next prev parent reply other threads:[~2026-07-10 2:43 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-10 2:29 [PATCH 0/2] scsi: lpfc: bound EDC descriptor TLV walk Michael Bommarito
2026-07-10 2:29 ` [PATCH 1/2] scsi: lpfc: bound EDC descriptor list by payload length Michael Bommarito
2026-07-10 2:42 ` sashiko-bot
2026-07-10 2:29 ` [PATCH 2/2] scsi: lpfc: add KUnit coverage for EDC descriptor bounds Michael Bommarito
2026-07-10 2:43 ` sashiko-bot [this message]
2026-07-10 16:53 ` [PATCH 0/2] scsi: lpfc: bound EDC descriptor TLV walk Justin Tee
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260710024349.ACECB1F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=linux-scsi@vger.kernel.org \
--cc=michael.bommarito@gmail.com \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.