From: sashiko-bot@kernel.org
To: "Nilesh Javali" <njavali@marvell.com>
Cc: linux-scsi@vger.kernel.org
Subject: Re: [PATCH v2 29/60] scsi: qla2xxx: Update handling of status entries for 29xx series
Date: Fri, 12 Jun 2026 10:44:31 +0000 [thread overview]
Message-ID: <20260612104432.840021F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260612095333.1666592-30-njavali@marvell.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues:
- [High] An attacker-controlled target can cause an integer underflow in `par_sense_len` resulting in an out-of-bounds read of adjacent kernel heap/DMA ring memory, leaking it to user-space.
--
commit f656a1805f0e016da73a51f8736cdf5930510fd1
Author: Nilesh Javali <njavali@marvell.com>
scsi: qla2xxx: Update handling of status entries for 29xx series
This commit modifies the handling of status entries in the qla2xxx driver to
accommodate the extended structure for the 29xx series. It updates function
signatures to accept generic pointers and adjusts logic to differentiate
between standard and extended status entries.
> diff --git a/drivers/scsi/qla2xxx/qla_isr.c b/drivers/scsi/qla2xxx/qla_isr.c
> index c18ee2459f5bd..f81cf70a0542c 100644
> --- a/drivers/scsi/qla2xxx/qla_isr.c
> +++ b/drivers/scsi/qla2xxx/qla_isr.c
[ ... ]
> @@ -3480,20 +3505,20 @@ qla2x00_status_entry(scsi_qla_host_t *vha, struct rsp_que *rsp, void *pkt)
> sense_len = par_sense_len = rsp_info_len = resid_len =
> fw_resid_len = 0;
> if (IS_FWI2_CAPABLE(ha)) {
> + qla_sts_fwi2_extract(ha, pkt, &sf);
> if (scsi_status & SS_SENSE_LEN_VALID)
> - sense_len = le32_to_cpu(sts24->sense_len);
> + sense_len = sf.sense_len;
> if (scsi_status & SS_RESPONSE_INFO_LEN_VALID)
> - rsp_info_len = le32_to_cpu(sts24->rsp_data_len);
> + rsp_info_len = sf.rsp_data_len;
[Severity: High]
This is a pre-existing issue, but can an attacker-controlled target cause an
integer underflow here?
If a compromised target provides an rsp_info_len (via sf.rsp_data_len)
larger than the actual data buffer size (par_sense_len, initialized to 28
or 60), the subtraction later in qla2x00_status_entry():
if (IS_FWI2_CAPABLE(ha)) {
sense_data += rsp_info_len;
par_sense_len -= rsp_info_len;
}
will underflow par_sense_len to a massive positive value.
Subsequently, when qla2x00_handle_sense() is called, the length check:
if (sense_len > par_sense_len)
sense_len = par_sense_len;
fails to cap sense_len, allowing the following memcpy:
memcpy(cp->sense_buffer, sense_data, sense_len);
to read out-of-bounds adjacent kernel heap or DMA ring memory, leaking it
into the SCSI command's sense buffer.
> if (scsi_status & (SS_RESIDUAL_UNDER | SS_RESIDUAL_OVER))
> - resid_len = le32_to_cpu(sts24->rsp_residual_count);
> + resid_len = sf.rsp_residual_count;
> if (comp_status == CS_DATA_UNDERRUN)
> fw_resid_len = le32_to_cpu(sts24->residual_len);
> - rsp_info = sts24->data;
> - sense_data = sts24->data;
> - host_to_fcp_swap(sts24->data, sizeof(sts24->data));
> + rsp_info = sf.data;
> + sense_data = sf.data;
> + par_sense_len = sf.data_sz;
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260612095333.1666592-1-njavali@marvell.com?part=29
next prev parent reply other threads:[~2026-06-12 10:44 UTC|newest]
Thread overview: 154+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-12 9:52 [PATCH v2 00/60] scsi: qla2xxx: Add QLA29xx series adapter support Nilesh Javali
2026-06-12 9:52 ` [PATCH v2 01/60] scsi: qla2xxx: Add 29xx series PCI device ID support Nilesh Javali
2026-06-12 10:30 ` sashiko-bot
2026-06-12 10:40 ` Hannes Reinecke
2026-06-12 9:52 ` [PATCH v2 02/60] scsi: qla2xxx: Add flash read/write interface for 29xx Nilesh Javali
2026-06-12 10:16 ` sashiko-bot
2026-06-12 10:43 ` Hannes Reinecke
2026-06-12 9:52 ` [PATCH v2 03/60] scsi: qla2xxx: Add NVRAM config support for 29xx adapters Nilesh Javali
2026-06-12 10:46 ` Hannes Reinecke
2026-06-12 9:52 ` [PATCH v2 04/60] scsi: qla2xxx: Add get_flash_version " Nilesh Javali
2026-06-12 10:18 ` sashiko-bot
2026-06-12 10:48 ` Hannes Reinecke
2026-06-12 9:52 ` [PATCH v2 05/60] scsi: qla2xxx: Add 29xx support in queue initialisation path Nilesh Javali
2026-06-12 10:17 ` sashiko-bot
2026-06-12 10:49 ` Hannes Reinecke
2026-06-12 9:52 ` [PATCH v2 06/60] scsi: qla2xxx: Add FC operational firmware load for 29xx Nilesh Javali
2026-06-12 10:14 ` sashiko-bot
2026-06-12 10:52 ` Hannes Reinecke
2026-06-12 9:52 ` [PATCH v2 07/60] scsi: qla2xxx: Add flash block read/write BSG support " Nilesh Javali
2026-06-12 10:11 ` sashiko-bot
2026-06-12 10:55 ` Hannes Reinecke
2026-06-12 9:52 ` [PATCH v2 08/60] scsi: qla2xxx: Add BSG MPI firmware load/dump " Nilesh Javali
2026-06-12 10:14 ` sashiko-bot
2026-06-12 10:57 ` Hannes Reinecke
2026-06-12 9:52 ` [PATCH v2 09/60] scsi: qla2xxx: Add 128-byte IOCB definitions " Nilesh Javali
2026-06-12 11:01 ` Hannes Reinecke
2026-06-12 9:52 ` [PATCH v2 10/60] scsi: qla2xxx: Add extended status continuation and marker IOCBs Nilesh Javali
2026-06-12 11:02 ` Hannes Reinecke
2026-06-12 9:52 ` [PATCH v2 11/60] scsi: qla2xxx: Remove duplicate flash memo block definitions Nilesh Javali
2026-06-12 11:03 ` Hannes Reinecke
2026-06-12 9:52 ` [PATCH v2 12/60] scsi: qla2xxx: Update IO path to use 128-byte IOCBs for 29xx Nilesh Javali
2026-06-12 10:29 ` sashiko-bot
2026-06-12 11:12 ` Hannes Reinecke
2026-06-12 9:52 ` [PATCH v2 13/60] scsi: qla2xxx: Replace IS_QLA29XX() size checks with entry-size helpers Nilesh Javali
2026-06-12 11:14 ` Hannes Reinecke
2026-06-12 9:52 ` [PATCH v2 14/60] scsi: qla2xxx: Skip image-set-valid attribute for 29xx Nilesh Javali
2026-06-12 11:14 ` Hannes Reinecke
2026-06-12 9:52 ` [PATCH v2 15/60] scsi: qla2xxx: Skip unsupported sysfs attributes " Nilesh Javali
2026-06-12 10:28 ` sashiko-bot
2026-06-12 11:15 ` Hannes Reinecke
2026-06-12 9:52 ` [PATCH v2 16/60] scsi: qla2xxx: Enable get_fw_version mailbox " Nilesh Javali
2026-06-12 10:31 ` sashiko-bot
2026-06-12 11:16 ` Hannes Reinecke
2026-06-12 9:52 ` [PATCH v2 17/60] scsi: qla2xxx: Extend execute_fw mailbox to include 29xx Nilesh Javali
2026-06-12 10:25 ` sashiko-bot
2026-06-12 11:17 ` Hannes Reinecke
2026-06-12 9:52 ` [PATCH v2 18/60] scsi: qla2xxx: Enable get_adapter_id mailbox for 29xx Nilesh Javali
2026-06-12 11:18 ` Hannes Reinecke
2026-06-12 9:52 ` [PATCH v2 19/60] scsi: qla2xxx: Enable init_firmware " Nilesh Javali
2026-06-12 11:18 ` Hannes Reinecke
2026-06-12 9:52 ` [PATCH v2 20/60] scsi: qla2xxx: Enable get_firmware_state " Nilesh Javali
2026-06-12 11:19 ` Hannes Reinecke
2026-06-12 11:22 ` sashiko-bot
2026-06-12 9:52 ` [PATCH v2 21/60] scsi: qla2xxx: Enable serdes, resource count and FCE trace " Nilesh Javali
2026-06-12 10:38 ` sashiko-bot
2026-06-12 11:19 ` Hannes Reinecke
2026-06-12 9:52 ` [PATCH v2 22/60] scsi: qla2xxx: Enable set_els_cmds and echo_test " Nilesh Javali
2026-06-12 11:20 ` Hannes Reinecke
2026-06-12 9:52 ` [PATCH v2 23/60] scsi: qla2xxx: Add support for QLA29XX in data rate functions Nilesh Javali
2026-06-12 11:20 ` Hannes Reinecke
2026-06-12 9:52 ` [PATCH v2 24/60] scsi: qla2xxx: Enable qla2x00_shutdown for 29xx Nilesh Javali
2026-06-12 11:21 ` Hannes Reinecke
2026-06-12 9:52 ` [PATCH v2 25/60] scsi: qla2xxx: Use ring-slot helpers in __qla2x00_alloc_iocbs Nilesh Javali
2026-06-12 10:41 ` sashiko-bot
2026-06-12 11:21 ` Hannes Reinecke
2026-06-12 9:52 ` [PATCH v2 26/60] scsi: qla2xxx: Add support for QLA29XX in memory allocation Nilesh Javali
2026-06-12 10:40 ` sashiko-bot
2026-06-12 11:22 ` Hannes Reinecke
2026-06-12 9:53 ` [PATCH v2 27/60] scsi: qla2xxx: Refactor marker IOCB handling for 29xx series Nilesh Javali
2026-06-12 11:36 ` Hannes Reinecke
2026-06-12 9:53 ` [PATCH v2 28/60] scsi: qla2xxx: Handle sts_cont_entry_ext_t for 29xx adapters Nilesh Javali
2026-06-12 10:54 ` sashiko-bot
2026-06-12 11:47 ` Hannes Reinecke
2026-06-12 9:53 ` [PATCH v2 29/60] scsi: qla2xxx: Update handling of status entries for 29xx series Nilesh Javali
2026-06-12 10:44 ` sashiko-bot [this message]
2026-06-12 12:12 ` Hannes Reinecke
2026-06-12 9:53 ` [PATCH v2 30/60] scsi: qla2xxx: Enhance ct_entry_24xx_ext iocb handling " Nilesh Javali
2026-06-12 12:14 ` Hannes Reinecke
2026-06-12 9:53 ` [PATCH v2 31/60] scsi: qla2xxx: Enhance purex_entry " Nilesh Javali
2026-06-12 10:54 ` sashiko-bot
2026-06-12 12:16 ` Hannes Reinecke
2026-06-12 9:53 ` [PATCH v2 32/60] scsi: qla2xxx: Update handling of ELS IOCBs " Nilesh Javali
2026-06-12 12:33 ` Hannes Reinecke
2026-06-12 9:53 ` [PATCH v2 33/60] scsi: qla2xxx: Add size check for ELS status entry layout on 29xx Nilesh Javali
2026-06-12 12:34 ` Hannes Reinecke
2026-06-12 9:53 ` [PATCH v2 34/60] scsi: qla2xxx: Add 29xx extended logio IOCB support Nilesh Javali
2026-06-12 12:36 ` Hannes Reinecke
2026-06-12 9:53 ` [PATCH v2 35/60] scsi: qla2xxx: Enhance task management IOCB handling for 29xx series Nilesh Javali
2026-06-12 11:13 ` sashiko-bot
2026-06-12 12:37 ` Hannes Reinecke
2026-06-12 9:53 ` [PATCH v2 36/60] scsi: qla2xxx: Add abort command " Nilesh Javali
2026-06-12 11:15 ` sashiko-bot
2026-06-12 12:38 ` Hannes Reinecke
2026-06-12 9:53 ` [PATCH v2 37/60] scsi: qla2xxx: Enhance ABTS processing " Nilesh Javali
2026-06-12 12:41 ` Hannes Reinecke
2026-06-12 15:12 ` sashiko-bot
2026-06-12 9:53 ` [PATCH v2 38/60] scsi: qla2xxx: Update VP control IOCB handling " Nilesh Javali
2026-06-12 12:45 ` Hannes Reinecke
2026-06-12 9:53 ` [PATCH v2 39/60] scsi: qla2xxx: Add build-time size check for VP config IOCB layout Nilesh Javali
2026-06-12 12:45 ` Hannes Reinecke
2026-06-12 9:53 ` [PATCH v2 40/60] scsi: qla2xxx: Add size check for extended VP report ID entry Nilesh Javali
2026-06-12 11:05 ` sashiko-bot
2026-06-12 12:46 ` Hannes Reinecke
2026-06-12 9:53 ` [PATCH v2 41/60] scsi: qla2xxx: Unify NVMe IOCB build path for 29xx and legacy adapters Nilesh Javali
2026-06-12 11:02 ` sashiko-bot
2026-06-12 12:49 ` Hannes Reinecke
2026-06-12 9:53 ` [PATCH v2 42/60] scsi: qla2xxx: Add LS4 pass-through IOCB handling for 29xx series Nilesh Javali
2026-06-12 12:50 ` Hannes Reinecke
2026-06-12 9:53 ` [PATCH v2 43/60] scsi: qla2xxx: Convert NVMe ring advance to use qla_req_ring_advance() Nilesh Javali
2026-06-12 12:52 ` Hannes Reinecke
2026-06-12 9:53 ` [PATCH v2 44/60] scsi: qla2xxx: Adjust feature gating in BSG paths for 29xx support Nilesh Javali
2026-06-12 11:16 ` sashiko-bot
2026-06-12 12:53 ` Hannes Reinecke
2026-06-12 9:53 ` [PATCH v2 45/60] scsi: qla2xxx: Fix queue teardown NULL dma_free and bitmap locking Nilesh Javali
2026-06-12 12:56 ` Hannes Reinecke
2026-06-12 13:23 ` sashiko-bot
2026-06-12 9:53 ` [PATCH v2 46/60] scsi: qla2xxx: Replace __le16 bitfields with scalar and accessors Nilesh Javali
2026-06-12 12:57 ` Hannes Reinecke
2026-06-12 9:53 ` [PATCH v2 47/60] scsi: qla2xxx: Fix endianness annotations in vp_rpt_id_entry structures Nilesh Javali
2026-06-12 12:59 ` Hannes Reinecke
2026-06-12 9:53 ` [PATCH v2 48/60] scsi: qla2xxx: Use 64-bit FPM word counters for 29xx host stats Nilesh Javali
2026-06-12 13:00 ` Hannes Reinecke
2026-06-12 9:53 ` [PATCH v2 49/60] scsi: qla2xxx: Add 64G/128G port speed setting support Nilesh Javali
2026-06-12 13:02 ` Hannes Reinecke
2026-06-12 9:53 ` [PATCH v2 50/60] scsi: qla2xxx: Fix 64G link speed reporting in get_data_rate Nilesh Javali
2026-06-12 13:03 ` Hannes Reinecke
2026-06-12 9:53 ` [PATCH v2 51/60] scsi: qla2xxx: edif: Fix NULL pointer deref in RX SA delete check Nilesh Javali
2026-06-12 11:43 ` sashiko-bot
2026-06-12 13:04 ` Hannes Reinecke
2026-06-12 9:53 ` [PATCH v2 52/60] scsi: qla2xxx: Fix Name Server logout detection on FWI2 adapters Nilesh Javali
2026-06-12 13:08 ` Hannes Reinecke
2026-06-12 9:53 ` [PATCH v2 53/60] scsi: qla2xxx: Bound VP index against VP_CTRL IOCB bitmap size Nilesh Javali
2026-06-12 11:35 ` sashiko-bot
2026-06-12 13:09 ` Hannes Reinecke
2026-06-12 9:53 ` [PATCH v2 54/60] scsi: qla2xxx: Check entry_status in qla24xx_modify_vp_config() Nilesh Javali
2026-06-12 13:10 ` Hannes Reinecke
2026-06-12 9:53 ` [PATCH v2 55/60] scsi: qla2xxx: Hold vport reference in qla24xx_report_id_acquisition() Nilesh Javali
2026-06-12 11:38 ` sashiko-bot
2026-06-12 13:10 ` Hannes Reinecke
2026-06-12 9:53 ` [PATCH v2 56/60] scsi: qla2xxx: Initialize NVMe abort_work once at submission Nilesh Javali
2026-06-12 11:34 ` sashiko-bot
2026-06-12 13:11 ` Hannes Reinecke
2026-06-12 9:53 ` [PATCH v2 57/60] scsi: qla2xxx: Hold qpair lock when sending NVMe LS reject Nilesh Javali
2026-06-12 11:39 ` sashiko-bot
2026-06-12 13:11 ` Hannes Reinecke
2026-06-12 9:53 ` [PATCH v2 58/60] scsi: qla2xxx: Zero dport diagnostics buffer to avoid info leak Nilesh Javali
2026-06-12 11:40 ` sashiko-bot
2026-06-12 13:12 ` Hannes Reinecke
2026-06-12 9:53 ` [PATCH v2 59/60] scsi: qla2xxx: Fix BSG job leak on validate flash image error path Nilesh Javali
2026-06-12 11:38 ` sashiko-bot
2026-06-12 13:12 ` Hannes Reinecke
2026-06-12 9:53 ` [PATCH v2 60/60] scsi: qla2xxx: Bound image count in qla2x00_update_fru_versions() Nilesh Javali
2026-06-12 11:45 ` sashiko-bot
2026-06-12 13:13 ` Hannes Reinecke
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260612104432.840021F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=linux-scsi@vger.kernel.org \
--cc=njavali@marvell.com \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox