From patchwork Tue Jan 21 19:27:10 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Himanshu Madhani X-Patchwork-Id: 11344453 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 39727921 for ; Tue, 21 Jan 2020 19:27:17 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 167192465A for ; Tue, 21 Jan 2020 19:27:17 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=marvell.com header.i=@marvell.com header.b="d3UYe6kz" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728668AbgAUT1Q (ORCPT ); Tue, 21 Jan 2020 14:27:16 -0500 Received: from mx0b-0016f401.pphosted.com ([67.231.156.173]:13962 "EHLO mx0b-0016f401.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727360AbgAUT1P (ORCPT ); Tue, 21 Jan 2020 14:27:15 -0500 Received: from pps.filterd (m0045851.ppops.net [127.0.0.1]) by mx0b-0016f401.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 00LJE2Ee021769; Tue, 21 Jan 2020 11:27:13 -0800 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=marvell.com; h=from : to : cc : subject : date : message-id : mime-version : content-type; s=pfpt0818; bh=jg/Ye31ne6e5ByDaElcF5I/4EvEbricDwQWdR41kj/g=; b=d3UYe6kz2tuNiEQ8Y6GhvsP9ZEX5roWe0mjljGsd/LbPWFzXuQIKTykVzAXQk8L2P/Dl rv6CK1gKgmpSFT6FNBoT7tOobsmUEeZKo9DshKOm9JeF/KQtKYCPcm0BBRfzwf4HliMF NPmKpn81KtIaUdoi0ofXdwsvSw+yj4OeOt0K1tSxTE5QDNuBE3oC9sQZPR3vw3bYkJim q1Kf8dbwnEdjS0m2ZmLHYXukElVCPbTQpPNaMdYLDoQyEOs0hS6s/ewebPAwxjfb8Xxu 9VdVAkru7BUhIwRo/DnM4UkvrS9rhVPPek7em9VfWyqacZqjXWBCdXxXGZB1AZ/Q0ONf EQ== Received: from sc-exch04.marvell.com ([199.233.58.184]) by mx0b-0016f401.pphosted.com with ESMTP id 2xm2dt3nqq-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Tue, 21 Jan 2020 11:27:13 -0800 Received: from SC-EXCH03.marvell.com (10.93.176.83) by SC-EXCH04.marvell.com (10.93.176.84) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Tue, 21 Jan 2020 11:27:10 -0800 Received: from maili.marvell.com (10.93.176.43) by SC-EXCH03.marvell.com (10.93.176.83) with Microsoft SMTP Server id 15.0.1497.2 via Frontend Transport; Tue, 21 Jan 2020 11:27:11 -0800 Received: from dut1171.mv.qlogic.com (unknown [10.112.88.18]) by maili.marvell.com (Postfix) with ESMTP id 4D23D3F703F; Tue, 21 Jan 2020 11:27:11 -0800 (PST) Received: from dut1171.mv.qlogic.com (localhost [127.0.0.1]) by dut1171.mv.qlogic.com (8.14.7/8.14.7) with ESMTP id 00LJRBFf032349; Tue, 21 Jan 2020 11:27:11 -0800 Received: (from root@localhost) by dut1171.mv.qlogic.com (8.14.7/8.14.7/Submit) id 00LJRBDi032348; Tue, 21 Jan 2020 11:27:11 -0800 From: Himanshu Madhani To: , CC: , Subject: [PATCH v4] qla2xxx: Fix unbound NVME response length Date: Tue, 21 Jan 2020 11:27:10 -0800 Message-ID: <20200121192710.32314-1-hmadhani@marvell.com> X-Mailer: git-send-email 2.12.0 MIME-Version: 1.0 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.138,18.0.634 definitions=2020-01-21_06:2020-01-21,2020-01-21 signatures=0 Sender: linux-scsi-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-scsi@vger.kernel.org From: Arun Easi On certain cases when response length is less than 32, NVME response data is supplied inline in IOCB. This is indicated by some combination of state flags. There was an instance when a high, and incorrect, response length was indicated causing driver to overrun buffers. Fix this by checking and limiting the response payload length. Fixes: 7401bc18d1ee3 ("scsi: qla2xxx: Add FC-NVMe command handling") Cc: stable@vger.kernel.org Signed-off-by: Arun Easi Signed-off-by: Himanshu Madhani Reviewed-by: Ewan D. Milne --- Hi Martin, We discovered issue with our newer Gen7 adapter when response length happens to be larger than 32 bytes, could result into crash. Please apply this to 5.5/scsi-fixes branch at your earliest convenience. Changes from v3 -> v4 o use "sizeof(struct nvme_fc_ersp_iu)" in missed place. Changes from v2 -> v3 o Use "sizeof(struct nvme_fc_ersp_iu)" to indicate response payload size. Changes from v1 -> v2 o Fixed the tag for stable. o Removed logit which got spilled from other patch to prevent compile failure. Thanks, Himanshu --- drivers/scsi/qla2xxx/qla_isr.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/drivers/scsi/qla2xxx/qla_isr.c b/drivers/scsi/qla2xxx/qla_isr.c index e7bad0bfffda..4caec94d8e99 100644 --- a/drivers/scsi/qla2xxx/qla_isr.c +++ b/drivers/scsi/qla2xxx/qla_isr.c @@ -1939,6 +1939,16 @@ static void qla24xx_nvme_iocb_entry(scsi_qla_host_t *vha, struct req_que *req, inbuf = (uint32_t *)&sts->nvme_ersp_data; outbuf = (uint32_t *)fd->rspaddr; iocb->u.nvme.rsp_pyld_len = le16_to_cpu(sts->nvme_rsp_pyld_len); + if (unlikely(iocb->u.nvme.rsp_pyld_len > + sizeof(struct nvme_fc_ersp_iu))) { + WARN_ONCE(1, "Unexpected response payload length %u.\n", + iocb->u.nvme.rsp_pyld_len); + ql_log(ql_log_warn, fcport->vha, 0x5100, + "Unexpected response payload length %u.\n", + iocb->u.nvme.rsp_pyld_len); + iocb->u.nvme.rsp_pyld_len = + sizeof(struct nvme_fc_ersp_iu); + } iter = iocb->u.nvme.rsp_pyld_len >> 2; for (; iter; iter--) *outbuf++ = swab32(*inbuf++);