From: sashiko-bot@kernel.org
To: "Michael Bommarito" <michael.bommarito@gmail.com>
Cc: linux-scsi@vger.kernel.org
Subject: Re: [PATCH 2/2] scsi: lpfc: add KUnit coverage for EDC descriptor bounds
Date: Fri, 10 Jul 2026 02:43:49 +0000 [thread overview]
Message-ID: <20260710024349.ACECB1F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260710022932.3741311-3-michael.bommarito@gmail.com>
Thank you for your contribution! Sashiko AI review found 3 potential issue(s) to consider:
New issues:
- [Medium] The KUnit test leaks memory pools if an assertion fails because cleanup is deferred instead of registered with KUnit.
- [Medium] The KUnit test uses an uninitialized `ndlp` node, causing the test to silently abort early and mask a missing mock function crash.
Pre-existing issues:
- [High] Missing bounds check for unknown EDC diagnostic descriptors allows an underflow of `bytes_remain`, leading to an out-of-bounds memory read or infinite loop.
--
--- Patch [2]: [PATCH 2/2] scsi: lpfc: add KUnit coverage for EDC descriptor bounds ---
commit dd6d0b3cfc06c72b1e47a15c2af79c7992a6552f
Author: Michael Bommarito <michael.bommarito@gmail.com>
scsi: lpfc: add KUnit coverage for EDC descriptor bounds
This patch adds KUnit coverage for lpfc_els_rcv_edc() descriptor-list bounds.
The tests live in lpfc_els.c so they can drive the real static EDC parser
without exporting test-only symbols.
> diff --git a/drivers/scsi/lpfc/lpfc_els.c b/drivers/scsi/lpfc/lpfc_els.c
> index 0023524528d93..3193a2aaac2f1 100644
> --- a/drivers/scsi/lpfc/lpfc_els.c
> +++ b/drivers/scsi/lpfc/lpfc_els.c
> @@ -12592,3 +12592,157 @@ lpfc_cmpl_els_uvem(struct lpfc_hba *phba, struct lpfc_iocbq *icmdiocb,
[ ... ]
> +static void lpfc_edc_kunit_setup_hba(struct kunit *test,
> + struct lpfc_hba *phba,
> + struct lpfc_vport *vport)
> +{
[ ... ]
> + phba->lpfc_mbuf_pool = dma_pool_create("lpfc_edc_mbuf", kdev,
> + LPFC_BPL_SIZE, 8, 0);
> + KUNIT_ASSERT_NOT_NULL(test, phba->lpfc_mbuf_pool);
> + phba->mbox_mem_pool = mempool_create_kmalloc_pool(1,
> + sizeof(LPFC_MBOXQ_t));
> + KUNIT_ASSERT_NOT_NULL(test, phba->mbox_mem_pool);
> +}
[Severity: Medium]
If any KUnit assertion fails later in lpfc_edc_kunit_run() (such as the
allocation check for cmd_dmabuf->virt), the test will abort immediately
without executing lpfc_edc_kunit_teardown_hba(). Will this leak the dma
and memory pools created here? Should these be registered for automatic
cleanup with KUnit instead?
[ ... ]
> +static void lpfc_edc_kunit_run(struct kunit *test, bool malformed)
> +{
> + struct lpfc_hba *phba;
> + struct lpfc_vport *vport;
> + struct lpfc_nodelist *ndlp;
> + struct lpfc_iocbq *cmdiocb;
> + struct lpfc_dmabuf *cmd_dmabuf;
> + struct fc_els_edc *edc;
> + struct fc_tlv_desc *tlv;
> + size_t payload_len;
> +
> + phba = kunit_kzalloc(test, sizeof(*phba), GFP_KERNEL);
> + vport = kunit_kzalloc(test, sizeof(*vport), GFP_KERNEL);
> + ndlp = kunit_kzalloc(test, sizeof(*ndlp), GFP_KERNEL);
[Severity: Medium]
Is the kref for this node list left as zero by the zero-allocation?
When lpfc_els_rcv_edc() calls lpfc_issue_els_edc_rsp() later in this path,
it attempts to take a reference via lpfc_nlp_get(ndlp). Because kref is
zero, won't this fail and return NULL, causing the function to silently abort
and skip sending the response?
This early abort would mask a potential crash, as phba->__lpfc_sli_issue_iocb
does not appear to be stubbed in the lpfc_edc_kunit_setup_hba() mock setup.
> + cmdiocb = kunit_kzalloc(test, sizeof(*cmdiocb), GFP_KERNEL);
> + cmd_dmabuf = kunit_kzalloc(test, sizeof(*cmd_dmabuf), GFP_KERNEL);
> + KUNIT_ASSERT_NOT_NULL(test, phba);
> + KUNIT_ASSERT_NOT_NULL(test, vport);
> + KUNIT_ASSERT_NOT_NULL(test, ndlp);
> + KUNIT_ASSERT_NOT_NULL(test, cmdiocb);
> + KUNIT_ASSERT_NOT_NULL(test, cmd_dmabuf);
[ ... ]
> + cmdiocb->cmd_dmabuf = cmd_dmabuf;
> + lpfc_els_rcv_edc(vport, cmdiocb, ndlp, payload_len);
[Severity: High]
This is a pre-existing issue, but missing bounds checks for unknown EDC
diagnostic descriptors in lpfc_els_rcv_edc() could allow an underflow of
bytes_remain.
In the target function:
lpfc_els.c:lpfc_els_rcv_edc() {
...
while (bytes_remain) {
...
switch (dtag) {
...
default:
dtag_nm = lpfc_get_tlv_dtag_nm(dtag);
lpfc_printf_log(phba, KERN_WARNING, ...);
}
bytes_remain -= FC_TLV_DESC_SZ_FROM_LENGTH(tlv);
tlv = fc_tlv_next_desc(tlv);
...
}
If a remote FC node sends an unknown descriptor tag whose length is maliciously
crafted to be larger than the remaining payload, won't bytes_remain underflow
to a huge value since there is no bounds check in the default switch case?
This could bypass the loop termination and allow an out-of-bounds read on the
next iteration.
> +
> + KUNIT_EXPECT_TRUE(test, true);
> + lpfc_edc_kunit_teardown_hba(phba);
> +}
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260710022932.3741311-1-michael.bommarito@gmail.com?part=2
next prev parent reply other threads:[~2026-07-10 2:43 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-10 2:29 [PATCH 0/2] scsi: lpfc: bound EDC descriptor TLV walk Michael Bommarito
2026-07-10 2:29 ` [PATCH 1/2] scsi: lpfc: bound EDC descriptor list by payload length Michael Bommarito
2026-07-10 2:42 ` sashiko-bot
2026-07-10 2:29 ` [PATCH 2/2] scsi: lpfc: add KUnit coverage for EDC descriptor bounds Michael Bommarito
2026-07-10 2:43 ` sashiko-bot [this message]
2026-07-10 16:53 ` [PATCH 0/2] scsi: lpfc: bound EDC descriptor TLV walk Justin Tee
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260710024349.ACECB1F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=linux-scsi@vger.kernel.org \
--cc=michael.bommarito@gmail.com \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox