From: sashiko-bot@kernel.org
To: "Jesse Taube" <jtaubepe@redhat.com>
Cc: linux-scsi@vger.kernel.org
Subject: Re: [PATCH v2] scsi: qla2xxx: Fix flex array member not at end
Date: Tue, 14 Jul 2026 19:27:46 +0000 [thread overview]
Message-ID: <20260714192746.EAAA11F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260714185621.610105-1-jtaubepe@redhat.com>
Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
New issues:
- [Low] The commit message incorrectly claims that structs were moved to the end of the parent structures, while the code actually uses a union trick to preserve the existing layout.
Pre-existing issues:
- [High] Heap out-of-bounds read due to missing request_len validation in BSG handlers.
--
--- Patch [1]: [PATCH v2] scsi: qla2xxx: Fix flex array member not at end ---
commit 71cbbca6ae587defc94dd45238daf79e9aba8d13
Author: Jesse Taube <jtaubepe@redhat.com>
scsi: qla2xxx: Fix flex array member not at end
This commit addresses the flex array member warning for struct fc_bsg_reply
and struct fc_bsg_request in qla_edif_bsg.h. It updates the parent structs
qla_bsg_auth_els_request and qla_bsg_auth_els_reply to wrap the flexible
array structures within unions.
> In qla_edif_bsg.h: struct fc_bsg_reply and struct fc_bsg_request
> have flexible array members, thus they must be the last member of
> the parent structure. Contininging in the effort to add
> -Wflex-array-member-not-at-end, move the structs to the end of
> the parent structures, struct qla_bsg_auth_els_reply and
> struct qla_bsg_auth_els_request .
[Severity: Low]
This isn't a bug, but the commit message states the structs are moved to
the end of the parent structures, while the code actually uses a union
trick with an anonymous struct padding to preserve the existing binary
layout. Could the message be updated to more accurately reflect the use of
the union rather than a structural move?
> diff --git a/drivers/scsi/qla2xxx/qla_edif_bsg.h b/drivers/scsi/qla2xxx/qla_edif_bsg.h
> index 514c265ba86e2..2b32a31856292 100644
> --- a/drivers/scsi/qla2xxx/qla_edif_bsg.h
> +++ b/drivers/scsi/qla2xxx/qla_edif_bsg.h
> @@ -36,16 +36,26 @@ struct extra_auth_els {
> } __packed;
>
> struct qla_bsg_auth_els_request {
> - struct fc_bsg_request r;
> - struct extra_auth_els e;
> + union {
> + struct fc_bsg_request r;
> + struct {
> + unsigned char __fc_bsg_request_sz[sizeof(struct fc_bsg_request)];
> + struct extra_auth_els e;
> + };
> + };
> };
[Severity: High]
This is a pre-existing issue, but while looking at these structures, is
there a missing bounds check on the request length when processing BSG
messages?
If a user issues an SG_IO ioctl to a BSG device with a minimal request_len
of 4 bytes but specifies a command requiring more data, bsg-lib allocates
exactly request_len bytes.
The generic FC transport increments cmdlen but reads vendor_id without
verifying the bounds:
drivers/scsi/scsi_transport_fc.c:fc_bsg_host_dispatch() {
...
case FC_BSG_HST_VENDOR:
cmdlen += sizeof(struct fc_bsg_host_vendor);
if ((shost->hostt->vendor_id == 0L) ||
(bsg_request->rqst_data.h_vendor.vendor_id !=
shost->hostt->vendor_id)) {
...
}
The qla2xxx driver also unconditionally reads req->e.sub_cmd from this
request structure at offset 20:
drivers/scsi/qla2xxx/qla_edif.c:qla_bsg_check() {
...
p = &req->e;
/* Get response */
if (p->sub_cmd == PULL_ELS) {
...
}
And unconditionally reads vendor_cmd[0] at offset 12:
drivers/scsi/qla2xxx/qla_bsg.c:qla2x00_process_vendor_specific() {
...
ql_dbg(ql_dbg_edif, vha, 0x911b, "%s FC_BSG_HST_VENDOR cmd[0]=0x%x\n",
__func__, bsg_request->rqst_data.h_vendor.vendor_cmd[0]);
...
}
Could this lead to a heap out-of-bounds read if request_len is too small?
[ ... ]
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260714185621.610105-1-jtaubepe@redhat.com?part=1
prev parent reply other threads:[~2026-07-14 19:27 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-14 18:56 [PATCH v2] scsi: qla2xxx: Fix flex array member not at end Jesse Taube
2026-07-14 19:27 ` sashiko-bot [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260714192746.EAAA11F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=jtaubepe@redhat.com \
--cc=linux-scsi@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox