Linux SCSI subsystem development
 help / color / mirror / Atom feed
From: sashiko-bot@kernel.org
To: "Markov Gleb" <markov.gi@npc-ksb.ru>
Cc: linux-scsi@vger.kernel.org
Subject: Re: [PATCH] target: Fix an overwriting of the error status code
Date: Mon, 29 Jun 2026 13:22:46 +0000	[thread overview]
Message-ID: <20260629132247.8C2D01F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260629130932.684-1-markov.gi@npc-ksb.ru>

Thank you for your contribution! Sashiko AI review found 4 potential issue(s) to consider:

Pre-existing issues:
- [High] Invalid format specifier (`%lld`) and parsing function (`match_int`) used for 64-bit LUN values, causing silent truncation and parsing failures.
- [High] Out-of-bounds heap read when parsing `initiator_sid` from APTPL metadata if the provided string is shorter than 8 bytes.
- [High] Missing lock acquisition when adding to `aptpl_reg_list`, leading to linked list corruption on concurrent writes.
- [Medium] A pre-existing memory leak occurs when duplicate string keys are provided in the APTPL metadata.
--

commit 351651d7e3ca454861c7698ee9547223c7b37c39
Author: Gleb Markov <markov.gi@npc-ksb.ru>

target: Fix an overwriting of the error status code

If the maximum field length is exceeded, the error status code written to
ret will be overwritten without verification, and data with an incorrect
field length will be passed to core_scsi3_alloc_aptpl_registration(). This
commit fixes the error handling by jumping to the "out" label instead of
breaking the switch statement.

> diff --git a/drivers/target/target_core_configfs.c b/drivers/target/target_core_configfs.c
> index 860e840461778..4436111900318 100644
> --- a/drivers/target/target_core_configfs.c
> +++ b/drivers/target/target_core_configfs.c
> @@ -1636,7 +1636,7 @@ static ssize_t target_core_dev_pr_store_attr_res_aptpl_metadata(
>  					" exceeds PR_APTPL_MAX_IPORT_LEN: %d\n",
>  					PR_APTPL_MAX_IPORT_LEN);
>  				ret = -EINVAL;
> -				break;
> +				goto out;

[Severity: Medium]
This is a pre-existing issue, but does match_strdup() leak memory if multiple
instances of the same key are supplied?

Just above these lines in target_core_dev_pr_store_attr_res_aptpl_metadata(),
when Opt_initiator_node is matched:

		case Opt_initiator_node:
			i_port = match_strdup(args);

If a user provides a string with duplicate keys, match_strdup() allocates new
memory and overwrites i_port without freeing the previous allocation. Could
this cause a memory leak?

>  			}
>  			break;
>  		case Opt_initiator_sid:

[ ... ]

[Severity: High]
This is a pre-existing issue, but is the 64-bit LUN value being silently
truncated and ignored?

Looking at the token definitions in drivers/target/target_core_configfs.c:

	{Opt_mapped_lun, "mapped_lun=%lld"},
	{Opt_target_lun, "target_lun=%lld"},

The match_one() function in lib/parser.c does not support the %lld format
specifier, which causes match_token() to fail and silently ignore these
options.

Furthermore, even if it did match, the parsed value is truncated because
match_int() only handles 32-bit integers:

		case Opt_mapped_lun:
			ret = match_int(args, &arg);
			if (ret)
				goto out;
			mapped_lun = (u64)arg;

Does this completely break PR APTPL state restoration for non-zero LUNs?

[Severity: High]
This is a pre-existing issue, but can we read out-of-bounds from the isid
pointer when parsing initiator_sid?

The isid string is dynamically allocated based on its length in
target_core_dev_pr_store_attr_res_aptpl_metadata().

When it is passed to core_scsi3_alloc_aptpl_registration() in
drivers/target/target_core_pr.c, it is read using get_unaligned_be64():

	if (isid != NULL) {
		pr_reg->pr_reg_bin_isid = get_unaligned_be64(isid);
		snprintf(pr_reg->pr_reg_isid, PR_REG_ISID_LEN, "%s", isid);

If the initiator_sid provided by the user is shorter than 8 bytes,
get_unaligned_be64() will read past the end of the allocated string. Can this
leak uninitialized memory or cause a crash?

[Severity: High]
This is a pre-existing issue, but is there a missing lock when adding to
aptpl_reg_list?

In core_scsi3_alloc_aptpl_registration() in drivers/target/target_core_pr.c,
the new registration is added to the list:

	pr_reg->pr_res_holder = res_holder;

	list_add_tail(&pr_reg->pr_reg_aptpl_list, &pr_tmpl->aptpl_reg_list);

Since configfs store attributes don't provide mutual exclusion, concurrent
writes to the res_aptpl_metadata attribute could invoke
core_scsi3_alloc_aptpl_registration() simultaneously.

Does pr_tmpl->aptpl_reg_list need to be protected by aptpl_reg_lock to
prevent linked list corruption during concurrent writes?

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260629130932.684-1-markov.gi@npc-ksb.ru?part=1

      reply	other threads:[~2026-06-29 13:22 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-29 13:09 [PATCH] target: Fix an overwriting of the error status code Markov Gleb
2026-06-29 13:22 ` sashiko-bot [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260629132247.8C2D01F000E9@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=linux-scsi@vger.kernel.org \
    --cc=markov.gi@npc-ksb.ru \
    --cc=sashiko-reviews@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox