From: sashiko-bot@kernel.org
To: "Nilesh Javali" <njavali@marvell.com>
Cc: linux-scsi@vger.kernel.org
Subject: Re: [PATCH v5 25/56] scsi: qla2xxx: Handle sts_cont_entry_ext_t for 29xx adapters
Date: Fri, 17 Jul 2026 16:11:06 +0000 [thread overview]
Message-ID: <20260717161107.4A7AB1F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260717152904.3155730-26-njavali@marvell.com>
Thank you for your contribution! Sashiko AI review found 3 potential issue(s) to consider:
New issues:
- [Critical] FORTIFY_SOURCE buffer overread panic in continuation IOCB processing
Pre-existing issues:
- [High] Remote Denial of Service (Infinite Loop) via crafted payload colliding with RESPONSE_PROCESSED
- [Medium] Missing read memory barrier after signature polling loop
--
--- Patch [25]: [PATCH v5 25/56] scsi: qla2xxx: Handle sts_cont_entry_ext_t for 29xx adapters ---
commit 5af8ad3c722085f26948d73f06875dd765494eea
Author: Nilesh Javali <njavali@marvell.com>
scsi: qla2xxx: Handle sts_cont_entry_ext_t for 29xx adapters
This commit updates all status continuation IOCB processing paths to branch
on adapter type and handle 128-byte response queue entries for QLA29XX
hardware. It modifies several functions to use the correct data payload
size and structure cast to prevent truncation.
Closes: https://lore.kernel.org/oe-kbuild-all/202607142020.gqDaApes-lkp@intel.com/
> diff --git a/drivers/scsi/qla2xxx/qla_isr.c b/drivers/scsi/qla2xxx/qla_isr.c
> --- a/drivers/scsi/qla2xxx/qla_isr.c
> +++ b/drivers/scsi/qla2xxx/qla_isr.c
[ ... ]
> @@ -271,10 +276,12 @@ int __qla_copy_purex_to_buffer(struct scsi_qla_host *vha,
>
> do {
> while ((total_bytes > 0) && (entry_count_remaining > 0)) {
> - new_pkt = (sts_cont_entry_t *)rsp_q->ring_ptr;
> - *pkt = new_pkt;
> + *pkt = rsp_q->ring_ptr;
> + data = ((sts_cont_entry_t *)*pkt)->data;
> + data_sz = qla_sts_cont_data_size(ha);
[Severity: Critical]
Can this cast trigger a FORTIFY_SOURCE panic?
Looking at __qla_copy_purex_to_buffer() in drivers/scsi/qla2xxx/qla_isr.c,
the pointer data is initialized by casting the packet to sts_cont_entry_t,
which defines the data field as a statically known 60-byte array.
On QLA29XX adapters, data_sz is set to 124 bytes. When the subsequent
memcpy attempts to copy up to 124 bytes from this 60-byte pointer,
FORTIFY_SOURCE will detect a field-spanning read using __builtin_object_size
and panic the kernel with __read_overflow2.
Does this need to cast to the extended struct for 29xx adapters before
taking the address of the data field?
>
> - if (new_pkt->entry_type != STATUS_CONT_TYPE) {
> + if (((sts_cont_entry_t *)*pkt)->entry_type !=
> + STATUS_CONT_TYPE) {
[ ... ]
> @@ -906,28 +915,24 @@ qla27xx_copy_multiple_pkt(struct scsi_qla_host *vha, void **pkt,
> continue;
> }
[Severity: High]
This is a pre-existing issue, but could this loop spin infinitely?
Looking at the context above this diff block in qla27xx_copy_multiple_pkt(),
the driver waits for the firmware to populate the continuation IOCB by
spinning until signature != RESPONSE_PROCESSED.
Since the signature field is at offset 60, it overlaps with the payload
data written by the firmware. If a remote endpoint sends a crafted
payload where the bytes at offset 60 happen to match the
RESPONSE_PROCESSED constant, the driver will never see the signature
change and will loop infinitely with interrupts disabled.
Is there a safer way to poll for DMA completion without risking payload
collisions?
[Severity: Medium]
This is a pre-existing issue, but is a read memory barrier missing here?
After breaking out of the cpu_relax() polling loop, the code immediately
reads the payload data from the ring buffer. On weakly-ordered
architectures, the CPU can speculatively load the payload data before
the signature validation completes.
Does this need a dma_rmb() after the signature check to ensure the CPU
processes the newly DMA'd packet instead of stale ring memory?
>
> - new_pkt = (sts_cont_entry_t *)rsp_q->ring_ptr;
> - *pkt = new_pkt;
> + *pkt = rsp_q->ring_ptr;
> + data = ((sts_cont_entry_t *)*pkt)->data;
> + data_sz = qla_sts_cont_data_size(ha);
[Severity: Critical]
Can this cast also trigger a FORTIFY_SOURCE panic during memcpy?
Similar to __qla_copy_purex_to_buffer(), casting to sts_cont_entry_t
bounds the data pointer to 60 bytes, causing a panic when copying
up to 124 bytes on QLA29XX hardware.
[ ... ]
> @@ -1190,10 +1206,12 @@ qla27xx_copy_fpin_pkt(struct scsi_qla_host *vha, void **pkt,
> continue;
> }
>
> - new_pkt = (sts_cont_entry_t *)rsp_q->ring_ptr;
> - *pkt = new_pkt;
> + *pkt = rsp_q->ring_ptr;
> + data = ((sts_cont_entry_t *)*pkt)->data;
> + data_sz = qla_sts_cont_data_size(ha);
[Severity: Critical]
Does this copy path also suffer from the FORTIFY_SOURCE panic?
The same 60-byte array limitation applies here when qla27xx_copy_fpin_pkt()
processes FPIN packets on QLA29XX adapters.
[ ... ]
> @@ -3691,6 +3711,7 @@ qla2x00_status_cont_entry(struct rsp_que *rsp, sts_cont_entry_t *pkt)
> struct scsi_cmnd *cp;
> uint32_t sense_len;
> uint8_t *sense_ptr;
> + u8 *data = ((sts_cont_entry_t *)pkt)->data;
[Severity: Critical]
Can this cast trigger a FORTIFY_SOURCE panic when copying sense data?
Looking at qla2x00_status_cont_entry() in drivers/scsi/qla2xxx/qla_isr.c,
the data pointer is bounded to 60 bytes due to the sts_cont_entry_t cast.
When sense_sz exceeds 60 bytes on 29xx adapters, the subsequent memcpy
at the end of this function will panic the kernel.
Does this need to branch on adapter type to extract the data pointer safely?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260717152904.3155730-1-njavali@marvell.com?part=25
next prev parent reply other threads:[~2026-07-17 16:11 UTC|newest]
Thread overview: 100+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-17 15:28 [PATCH v5 00/56] scsi: qla2xxx: Add QLA29xx series adapter support Nilesh Javali
2026-07-17 15:28 ` [PATCH v5 01/56] scsi: qla2xxx: Add 29xx series PCI device ID support Nilesh Javali
2026-07-17 16:36 ` sashiko-bot
2026-07-17 15:28 ` [PATCH v5 02/56] scsi: qla2xxx: Add flash read/write interface for 29xx Nilesh Javali
2026-07-17 16:05 ` sashiko-bot
2026-07-17 15:28 ` [PATCH v5 03/56] scsi: qla2xxx: Add NVRAM config support for 29xx adapters Nilesh Javali
2026-07-17 15:28 ` [PATCH v5 04/56] scsi: qla2xxx: Add 29xx support in queue initialisation path Nilesh Javali
2026-07-17 16:09 ` sashiko-bot
2026-07-17 15:28 ` [PATCH v5 05/56] scsi: qla2xxx: Add FC operational firmware load for 29xx Nilesh Javali
2026-07-17 15:53 ` sashiko-bot
2026-07-17 15:28 ` [PATCH v5 06/56] scsi: qla2xxx: Remove redundant VPD flash read in sysfs read path Nilesh Javali
2026-07-17 15:58 ` sashiko-bot
2026-07-17 15:28 ` [PATCH v5 07/56] scsi: qla2xxx: Add flash block read/write BSG support for 29xx Nilesh Javali
2026-07-17 16:02 ` sashiko-bot
2026-07-17 15:28 ` [PATCH v5 08/56] scsi: qla2xxx: Add BSG MPI firmware load/dump " Nilesh Javali
2026-07-17 15:51 ` sashiko-bot
2026-07-17 15:28 ` [PATCH v5 09/56] scsi: qla2xxx: Add 128-byte IOCB definitions " Nilesh Javali
2026-07-17 15:49 ` sashiko-bot
2026-07-17 15:28 ` [PATCH v5 10/56] scsi: qla2xxx: Add extended status continuation and marker IOCBs Nilesh Javali
2026-07-17 15:42 ` sashiko-bot
2026-07-17 15:28 ` [PATCH v5 11/56] scsi: qla2xxx: Update IO path to use 128-byte IOCBs for 29xx Nilesh Javali
2026-07-17 16:13 ` sashiko-bot
2026-07-17 15:28 ` [PATCH v5 12/56] scsi: qla2xxx: Skip image-set-valid attribute " Nilesh Javali
2026-07-17 15:28 ` [PATCH v5 13/56] scsi: qla2xxx: Skip unsupported sysfs attributes " Nilesh Javali
2026-07-17 15:28 ` [PATCH v5 14/56] scsi: qla2xxx: Enable get_fw_version mailbox " Nilesh Javali
2026-07-17 15:55 ` sashiko-bot
2026-07-17 15:28 ` [PATCH v5 15/56] scsi: qla2xxx: Extend execute_fw mailbox to include 29xx Nilesh Javali
2026-07-17 15:28 ` [PATCH v5 16/56] scsi: qla2xxx: Enable get_adapter_id mailbox for 29xx Nilesh Javali
2026-07-17 16:00 ` sashiko-bot
2026-07-17 15:28 ` [PATCH v5 17/56] scsi: qla2xxx: Enable init_firmware " Nilesh Javali
2026-07-17 15:28 ` [PATCH v5 18/56] scsi: qla2xxx: Enable get_firmware_state " Nilesh Javali
2026-07-17 15:28 ` [PATCH v5 19/56] scsi: qla2xxx: Enable serdes, resource count and FCE trace " Nilesh Javali
2026-07-17 16:30 ` sashiko-bot
2026-07-17 15:28 ` [PATCH v5 20/56] scsi: qla2xxx: Enable set_els_cmds and echo_test " Nilesh Javali
2026-07-17 15:56 ` sashiko-bot
2026-07-17 15:28 ` [PATCH v5 21/56] scsi: qla2xxx: Add support for QLA29XX in data rate functions Nilesh Javali
2026-07-17 15:28 ` [PATCH v5 22/56] scsi: qla2xxx: Enable qla2x00_shutdown for 29xx Nilesh Javali
2026-07-17 16:01 ` sashiko-bot
2026-07-17 15:28 ` [PATCH v5 23/56] scsi: qla2xxx: Use ring-slot helpers in __qla2x00_alloc_iocbs Nilesh Javali
2026-07-17 16:03 ` sashiko-bot
2026-07-17 15:28 ` [PATCH v5 24/56] scsi: qla2xxx: Add support for QLA29XX in memory allocation Nilesh Javali
2026-07-17 16:20 ` sashiko-bot
2026-07-17 15:28 ` [PATCH v5 25/56] scsi: qla2xxx: Handle sts_cont_entry_ext_t for 29xx adapters Nilesh Javali
2026-07-17 16:11 ` sashiko-bot [this message]
2026-07-17 15:28 ` [PATCH v5 26/56] scsi: qla2xxx: Update handling of status entries for 29xx series Nilesh Javali
2026-07-17 16:20 ` sashiko-bot
2026-07-17 15:28 ` [PATCH v5 27/56] scsi: qla2xxx: Enhance ct_entry_24xx_ext iocb handling " Nilesh Javali
2026-07-17 15:28 ` [PATCH v5 28/56] scsi: qla2xxx: Enhance purex_entry " Nilesh Javali
2026-07-17 18:29 ` sashiko-bot
2026-07-17 15:28 ` [PATCH v5 29/56] scsi: qla2xxx: Update handling of ELS IOCBs " Nilesh Javali
2026-07-17 16:17 ` sashiko-bot
2026-07-17 15:28 ` [PATCH v5 30/56] scsi: qla2xxx: Add size check for ELS status entry layout on 29xx Nilesh Javali
2026-07-17 16:14 ` sashiko-bot
2026-07-17 15:28 ` [PATCH v5 31/56] scsi: qla2xxx: Add 29xx extended logio IOCB support Nilesh Javali
2026-07-17 15:28 ` [PATCH v5 32/56] scsi: qla2xxx: Enhance task management IOCB handling for 29xx series Nilesh Javali
2026-07-17 18:31 ` sashiko-bot
2026-07-17 15:28 ` [PATCH v5 33/56] scsi: qla2xxx: Add abort command " Nilesh Javali
2026-07-17 16:42 ` sashiko-bot
2026-07-17 15:28 ` [PATCH v5 34/56] scsi: qla2xxx: Enhance ABTS processing " Nilesh Javali
2026-07-17 16:49 ` sashiko-bot
2026-07-17 15:28 ` [PATCH v5 35/56] scsi: qla2xxx: Update VP control IOCB handling " Nilesh Javali
2026-07-17 16:48 ` sashiko-bot
2026-07-17 15:28 ` [PATCH v5 36/56] scsi: qla2xxx: Add build-time size check for VP config IOCB layout Nilesh Javali
2026-07-17 15:28 ` [PATCH v5 37/56] scsi: qla2xxx: Add size check for extended VP report ID entry Nilesh Javali
2026-07-17 16:29 ` sashiko-bot
2026-07-17 15:28 ` [PATCH v5 38/56] scsi: qla2xxx: Add LS4 pass-through IOCB handling for 29xx series Nilesh Javali
2026-07-17 16:36 ` sashiko-bot
2026-07-17 15:28 ` [PATCH v5 39/56] scsi: qla2xxx: Adjust feature gating in BSG paths for 29xx support Nilesh Javali
2026-07-17 16:38 ` sashiko-bot
2026-07-17 15:28 ` [PATCH v5 40/56] scsi: qla2xxx: Fix queue teardown NULL dma_free and bitmap locking Nilesh Javali
2026-07-17 16:49 ` sashiko-bot
2026-07-17 15:28 ` [PATCH v5 41/56] scsi: qla2xxx: Replace __le16 bitfields with scalar and accessors Nilesh Javali
2026-07-17 16:46 ` sashiko-bot
2026-07-17 15:28 ` [PATCH v5 42/56] scsi: qla2xxx: Fix endianness annotations in vp_rpt_id_entry structures Nilesh Javali
2026-07-17 15:28 ` [PATCH v5 43/56] scsi: qla2xxx: Use 64-bit FPM word counters for 29xx host stats Nilesh Javali
2026-07-17 16:28 ` sashiko-bot
2026-07-17 15:28 ` [PATCH v5 44/56] scsi: qla2xxx: Add 64G/128G port speed setting support Nilesh Javali
2026-07-17 16:32 ` sashiko-bot
2026-07-17 15:28 ` [PATCH v5 45/56] scsi: qla2xxx: Fix 64G link speed reporting in get_data_rate Nilesh Javali
2026-07-17 15:28 ` [PATCH v5 46/56] scsi: qla2xxx: edif: Fix NULL pointer deref in RX SA delete check Nilesh Javali
2026-07-17 17:37 ` sashiko-bot
2026-07-17 15:28 ` [PATCH v5 47/56] scsi: qla2xxx: Fix Name Server logout detection on FWI2 adapters Nilesh Javali
2026-07-17 15:28 ` [PATCH v5 48/56] scsi: qla2xxx: Bound VP index against VP_CTRL IOCB bitmap size Nilesh Javali
2026-07-17 16:53 ` sashiko-bot
2026-07-17 15:28 ` [PATCH v5 49/56] scsi: qla2xxx: Check entry_status in qla24xx_modify_vp_config() Nilesh Javali
2026-07-17 16:59 ` sashiko-bot
2026-07-17 15:28 ` [PATCH v5 50/56] scsi: qla2xxx: Hold vport reference in qla24xx_report_id_acquisition() Nilesh Javali
2026-07-17 17:08 ` sashiko-bot
2026-07-17 15:28 ` [PATCH v5 51/56] scsi: qla2xxx: Initialize NVMe abort_work once at submission Nilesh Javali
2026-07-17 16:45 ` sashiko-bot
2026-07-17 15:29 ` [PATCH v5 52/56] scsi: qla2xxx: Hold qpair lock when sending NVMe LS reject Nilesh Javali
2026-07-17 16:55 ` sashiko-bot
2026-07-17 15:29 ` [PATCH v5 53/56] scsi: qla2xxx: Zero dport diagnostics buffer to avoid info leak Nilesh Javali
2026-07-17 17:10 ` sashiko-bot
2026-07-17 15:29 ` [PATCH v5 54/56] scsi: qla2xxx: Fix BSG job leak on validate flash image error path Nilesh Javali
2026-07-17 16:57 ` sashiko-bot
2026-07-17 15:29 ` [PATCH v5 55/56] scsi: qla2xxx: Bound image count in qla2x00_update_fru_versions() Nilesh Javali
2026-07-17 17:04 ` sashiko-bot
2026-07-17 15:29 ` [PATCH v5 56/56] scsi: qla2xxx: Update version to 12.00.00.2607b1 Nilesh Javali
2026-07-17 16:54 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260717161107.4A7AB1F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=linux-scsi@vger.kernel.org \
--cc=njavali@marvell.com \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox