[PATCH v2] libfc: sanity check cpu number extracted from xid

public inbox for linux-scsi@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH v2] libfc: sanity check cpu number extracted from xid
       [not found] ` <20160630070925.ptbgkeq57txs55gf-3LAbnSA0sDC4fIQPS+WK3rNAH6kLmebB@public.gmane.org>
@ 2016-06-30 15:32   ` Chris Leech
       [not found]     ` <1467300756-7949-1-git-send-email-cleech-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
  2016-07-14  1:50     ` Martin K. Petersen
  0 siblings, 2 replies; 4+ messages in thread
From: Chris Leech @ 2016-06-30 15:32 UTC (permalink / raw)
  To: Johannes Thumshirn
  Cc: fcoe-devel-s9riP+hp16TNLxjTenLetw,
	linux-scsi-u79uwXL29TY76Z2rM5mHXA

In the receive path libfc extracts a cpu number from the ox_id in the
fiber channel header and uses that to do a per_cpu_ptr conversion.
If, for some reason, a frame is received with an invalid ox_id,
per_cpu_ptr will return an invalid pointer and the libfc receive path
will panic the system trying to use it.

I'm currently looking at such a case, and I don't yet know why a
cpu number > nr_cpu_ids is appearing in an exchange id.  But adding a
sanity check in libfc prevents a system panic, and seems like good idea
when dealing with frames coming in from the network.

Signed-off-by: Chris Leech <cleech-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
---
 drivers/scsi/libfc/fc_exch.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/drivers/scsi/libfc/fc_exch.c b/drivers/scsi/libfc/fc_exch.c
index 30f9ef0..e72673b 100644
--- a/drivers/scsi/libfc/fc_exch.c
+++ b/drivers/scsi/libfc/fc_exch.c
@@ -908,9 +908,17 @@ static struct fc_exch *fc_exch_find(struct fc_exch_mgr *mp, u16 xid)
 {
 	struct fc_exch_pool *pool;
 	struct fc_exch *ep = NULL;
+	u16 cpu = xid & fc_cpu_mask;
+
+	if (cpu >= nr_cpu_ids || !cpu_possible(cpu)) {
+		printk_ratelimited(KERN_ERR
+			"libfc: lookup request for XID = %d, "
+			"indicates invalid CPU %d\n", xid, cpu);
+		return NULL;
+	}
 
 	if ((xid >= mp->min_xid) && (xid <= mp->max_xid)) {
-		pool = per_cpu_ptr(mp->pool, xid & fc_cpu_mask);
+		pool = per_cpu_ptr(mp->pool, cpu);
 		spin_lock_bh(&pool->lock);
 		ep = fc_exch_ptr_get(pool, (xid - mp->min_xid) >> fc_cpu_order);
 		if (ep) {
-- 
2.5.5

^ permalink raw reply related	[flat|nested] 4+ messages in thread

[parent not found: <1467300756-7949-1-git-send-email-cleech-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>]

* Re: [PATCH v2] libfc: sanity check cpu number extracted from xid
       [not found]     ` <1467300756-7949-1-git-send-email-cleech-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
@ 2016-07-01  8:09       ` Johannes Thumshirn
  2016-07-14  1:51         ` Martin K. Petersen
  0 siblings, 1 reply; 4+ messages in thread
From: Johannes Thumshirn @ 2016-07-01  8:09 UTC (permalink / raw)
  To: Chris Leech, Martin K . Petersen
  Cc: fcoe-devel-s9riP+hp16TNLxjTenLetw, Johannes Thumshirn,
	linux-scsi-u79uwXL29TY76Z2rM5mHXA

On Thu, Jun 30, 2016 at 08:32:36AM -0700, Chris Leech wrote:
> In the receive path libfc extracts a cpu number from the ox_id in the
> fiber channel header and uses that to do a per_cpu_ptr conversion.
> If, for some reason, a frame is received with an invalid ox_id,
> per_cpu_ptr will return an invalid pointer and the libfc receive path
> will panic the system trying to use it.
> 
> I'm currently looking at such a case, and I don't yet know why a
> cpu number > nr_cpu_ids is appearing in an exchange id.  But adding a
> sanity check in libfc prevents a system panic, and seems like good idea
> when dealing with frames coming in from the network.
> 
> Signed-off-by: Chris Leech <cleech-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
> ---
>  drivers/scsi/libfc/fc_exch.c | 10 +++++++++-
>  1 file changed, 9 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/scsi/libfc/fc_exch.c b/drivers/scsi/libfc/fc_exch.c
> index 30f9ef0..e72673b 100644
> --- a/drivers/scsi/libfc/fc_exch.c
> +++ b/drivers/scsi/libfc/fc_exch.c
> @@ -908,9 +908,17 @@ static struct fc_exch *fc_exch_find(struct fc_exch_mgr *mp, u16 xid)
>  {
>  	struct fc_exch_pool *pool;
>  	struct fc_exch *ep = NULL;
> +	u16 cpu = xid & fc_cpu_mask;
> +
> +	if (cpu >= nr_cpu_ids || !cpu_possible(cpu)) {
> +		printk_ratelimited(KERN_ERR
> +			"libfc: lookup request for XID = %d, "
> +			"indicates invalid CPU %d\n", xid, cpu);
> +		return NULL;
> +	}
>  
>  	if ((xid >= mp->min_xid) && (xid <= mp->max_xid)) {
> -		pool = per_cpu_ptr(mp->pool, xid & fc_cpu_mask);
> +		pool = per_cpu_ptr(mp->pool, cpu);
>  		spin_lock_bh(&pool->lock);
>  		ep = fc_exch_ptr_get(pool, (xid - mp->min_xid) >> fc_cpu_order);
>  		if (ep) {


Acked-by: Johannes Thumshirn <jth-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>

@Martin, do you queue the libfc patches as well?

-- 
Johannes Thumshirn                                          Storage
jthumshirn-l3A5Bk7waGM@public.gmane.org                                +49 911 74053 689
SUSE LINUX GmbH, Maxfeldstr. 5, 90409 Nürnberg
GF: Felix Imendörffer, Jane Smithard, Graham Norton
HRB 21284 (AG Nürnberg)
Key fingerprint = EC38 9CAB C2C4 F25D 8600 D0D0 0393 969D 2D76 0850

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH v2] libfc: sanity check cpu number extracted from xid
  2016-07-01  8:09       ` Johannes Thumshirn
@ 2016-07-14  1:51         ` Martin K. Petersen
  0 siblings, 0 replies; 4+ messages in thread
From: Martin K. Petersen @ 2016-07-14  1:51 UTC (permalink / raw)
  To: Johannes Thumshirn
  Cc: Chris Leech, Martin K . Petersen, Johannes Thumshirn, fcoe-devel,
	linux-scsi, Vasu Dev

>>>>> "Johannes" == Johannes Thumshirn <jthumshirn@suse.de> writes:

Johannes> @Martin, do you queue the libfc patches as well?

Sure.

(Sorry about the delay, been on vacation).

-- 
Martin K. Petersen	Oracle Linux Engineering

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH v2] libfc: sanity check cpu number extracted from xid
  2016-06-30 15:32   ` [PATCH v2] libfc: sanity check cpu number extracted from xid Chris Leech
       [not found]     ` <1467300756-7949-1-git-send-email-cleech-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
@ 2016-07-14  1:50     ` Martin K. Petersen
  1 sibling, 0 replies; 4+ messages in thread
From: Martin K. Petersen @ 2016-07-14  1:50 UTC (permalink / raw)
  To: Chris Leech; +Cc: Johannes Thumshirn, fcoe-devel, linux-scsi, Vasu Dev

>>>>> "Chris" == Chris Leech <cleech@redhat.com> writes:

Chris> In the receive path libfc extracts a cpu number from the ox_id in
Chris> the fiber channel header and uses that to do a per_cpu_ptr
Chris> conversion.  If, for some reason, a frame is received with an
Chris> invalid ox_id, per_cpu_ptr will return an invalid pointer and the
Chris> libfc receive path will panic the system trying to use it.

Applied to 4.8/scsi-queue.

-- 
Martin K. Petersen	Oracle Linux Engineering

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2016-07-14  1:51 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
     [not found] <20160630070925.ptbgkeq57txs55gf@c203.arch.suse.de>
     [not found] ` <20160630070925.ptbgkeq57txs55gf-3LAbnSA0sDC4fIQPS+WK3rNAH6kLmebB@public.gmane.org>
2016-06-30 15:32   ` [PATCH v2] libfc: sanity check cpu number extracted from xid Chris Leech
     [not found]     ` <1467300756-7949-1-git-send-email-cleech-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2016-07-01  8:09       ` Johannes Thumshirn
2016-07-14  1:51         ` Martin K. Petersen
2016-07-14  1:50     ` Martin K. Petersen

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox