| Message ID | 1470846653-90691-10-git-send-email-maier@linux.vnet.ibm.com (mailing list archive) |
|---|---|
| State | Accepted, archived |
| Headers | show |
On 08/10/2016 06:30 PM, Steffen Maier wrote: > commit 2c55b750a884b86dea8b4cc5f15e1484cc47a25c > ("[SCSI] zfcp: Redesign of the debug tracing for SAN records.") > started to add FC_CT_HDR_LEN which made zfcp dump random data > out of bounds for RSPN GS responses because u.rspn.rsp > is the largest and last field in the union of struct zfcp_fc_req. > Other request/response types only happened to stay within bounds > due to the padding of the union or > due to the trace capping of u.gspn.rsp to ZFCP_DBF_SAN_MAX_PAYLOAD. > > Timestamp : ... > Area : SAN > Subarea : 00 > Level : 1 > Exception : - > CPU id : .. > Caller : ... > Record id : 2 > Tag : fsscth2 > Request id : 0x... > Destination ID : 0x00fffffc > Payload short : 01000000 fc020000 80020000 00000000 > xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx <=== > 00000000 00000000 00000000 00000000 > Payload length : 32 <=== > > struct zfcp_fc_req { > [0] struct zfcp_fsf_ct_els ct_els; > [56] struct scatterlist sg_req; > [96] struct scatterlist sg_rsp; > union { > struct {req; rsp;} adisc; SIZE: 28+28= 56 > struct {req; rsp;} gid_pn; SIZE: 24+20= 44 > struct {rspsg; req;} gpn_ft; SIZE: 40*4+20=180 > struct {req; rsp;} gspn; SIZE: 20+273= 293 > struct {req; rsp;} rspn; SIZE: 277+16= 293 > [136] } u; > } > SIZE: 432 > > Signed-off-by: Steffen Maier <maier@linux.vnet.ibm.com> > Fixes: 2c55b750a884 ("[SCSI] zfcp: Redesign of the debug tracing for SAN records.") > Cc: <stable@vger.kernel.org> #2.6.38+ > Reviewed-by: Alexey Ishchuk <aishchuk@linux.vnet.ibm.com> > Reviewed-by: Benjamin Block <bblock@linux.vnet.ibm.com> > --- > drivers/s390/scsi/zfcp_dbf.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/drivers/s390/scsi/zfcp_dbf.c b/drivers/s390/scsi/zfcp_dbf.c > index 968897f5e1c6..d8c0bfb40366 100644 > --- a/drivers/s390/scsi/zfcp_dbf.c > +++ b/drivers/s390/scsi/zfcp_dbf.c > @@ -389,7 +389,7 @@ void zfcp_dbf_san_req(char *tag, struct zfcp_fsf_req *fsf, u32 d_id) > struct zfcp_fsf_ct_els *ct_els = fsf->data; > u16 length; > > - length = (u16)(ct_els->req->length + FC_CT_HDR_LEN); > + length = (u16)(ct_els->req->length); > zfcp_dbf_san(tag, dbf, sg_virt(ct_els->req), ZFCP_DBF_SAN_REQ, length, > fsf->req_id, d_id); > } > @@ -405,7 +405,7 @@ void zfcp_dbf_san_res(char *tag, struct zfcp_fsf_req *fsf) > struct zfcp_fsf_ct_els *ct_els = fsf->data; > u16 length; > > - length = (u16)(ct_els->resp->length + FC_CT_HDR_LEN); > + length = (u16)(ct_els->resp->length); > zfcp_dbf_san(tag, dbf, sg_virt(ct_els->resp), ZFCP_DBF_SAN_RES, length, > fsf->req_id, ct_els->d_id); > } > Reviewed-by: Hannes Reinecke <hare@suse.com> Cheers, Hannes
diff --git a/drivers/s390/scsi/zfcp_dbf.c b/drivers/s390/scsi/zfcp_dbf.c index 968897f5e1c6..d8c0bfb40366 100644 --- a/drivers/s390/scsi/zfcp_dbf.c +++ b/drivers/s390/scsi/zfcp_dbf.c @@ -389,7 +389,7 @@ void zfcp_dbf_san_req(char *tag, struct zfcp_fsf_req *fsf, u32 d_id) struct zfcp_fsf_ct_els *ct_els = fsf->data; u16 length; - length = (u16)(ct_els->req->length + FC_CT_HDR_LEN); + length = (u16)(ct_els->req->length); zfcp_dbf_san(tag, dbf, sg_virt(ct_els->req), ZFCP_DBF_SAN_REQ, length, fsf->req_id, d_id); } @@ -405,7 +405,7 @@ void zfcp_dbf_san_res(char *tag, struct zfcp_fsf_req *fsf) struct zfcp_fsf_ct_els *ct_els = fsf->data; u16 length; - length = (u16)(ct_els->resp->length + FC_CT_HDR_LEN); + length = (u16)(ct_els->resp->length); zfcp_dbf_san(tag, dbf, sg_virt(ct_els->resp), ZFCP_DBF_SAN_RES, length, fsf->req_id, ct_els->d_id); }
commit 2c55b750a884b86dea8b4cc5f15e1484cc47a25c ("[SCSI] zfcp: Redesign of the debug tracing for SAN records.") started to add FC_CT_HDR_LEN which made zfcp dump random data out of bounds for RSPN GS responses because u.rspn.rsp is the largest and last field in the union of struct zfcp_fc_req. Other request/response types only happened to stay within bounds due to the padding of the union or due to the trace capping of u.gspn.rsp to ZFCP_DBF_SAN_MAX_PAYLOAD. Timestamp : ... Area : SAN Subarea : 00 Level : 1 Exception : - CPU id : .. Caller : ... Record id : 2 Tag : fsscth2 Request id : 0x... Destination ID : 0x00fffffc Payload short : 01000000 fc020000 80020000 00000000 xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx <=== 00000000 00000000 00000000 00000000 Payload length : 32 <=== struct zfcp_fc_req { [0] struct zfcp_fsf_ct_els ct_els; [56] struct scatterlist sg_req; [96] struct scatterlist sg_rsp; union { struct {req; rsp;} adisc; SIZE: 28+28= 56 struct {req; rsp;} gid_pn; SIZE: 24+20= 44 struct {rspsg; req;} gpn_ft; SIZE: 40*4+20=180 struct {req; rsp;} gspn; SIZE: 20+273= 293 struct {req; rsp;} rspn; SIZE: 277+16= 293 [136] } u; } SIZE: 432 Signed-off-by: Steffen Maier <maier@linux.vnet.ibm.com> Fixes: 2c55b750a884 ("[SCSI] zfcp: Redesign of the debug tracing for SAN records.") Cc: <stable@vger.kernel.org> #2.6.38+ Reviewed-by: Alexey Ishchuk <aishchuk@linux.vnet.ibm.com> Reviewed-by: Benjamin Block <bblock@linux.vnet.ibm.com> --- drivers/s390/scsi/zfcp_dbf.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)