| Message ID | 20230809141059.10790-1-magnani@ieee.org (mailing list archive) |
|---|---|
| State | Rejected |
| Headers | show |
| Series | scsi: qla2xxx: Prevent firmware rejection of MBC_GET_RNID_PARAMS | expand |
Please disregard. It looks like the original patch b68710a8094f reduced the amount of data copied off so much that port logins are broken even though with my patch the firmware now processes GET_RNID_PARAMS. The breakage has been introduced during 6.5 (and propagated into 5.x stable branches) so there is some urgency to getting a proper fix. I will send a short series to revert b68710a8094f and replace it with what I think is the correct overrun fix. AFAICT the overrun is only a single dword. --Steve On 2023-08-09 09:10, Steve Magnani wrote: > At least some firmware (for example, QLE2692 FW 8.08.231 (d0d5)) > returns > MBS_COMMAND_PARAMETER_ERROR when > MBC_GET_RNID_PARAMS(RNID_TYPE_PORT_LOGIN) > is issued with a transfer length of 4 (DWords). Correct the overrun fix > to > issue a "normal" transfer length and instead limit copy-out of desired > PLOGI data to the space available for it. > > Fixes: b68710a8094f ("scsi: qla2xxx: Fix buffer overrun") > Signed-off-by: "Steven J. Magnani" <magnani@ieee.org> > --- > --- a/drivers/scsi/qla2xxx/qla_init.c 2023-08-01 03:46:21.727114453 > -0500 > +++ b/drivers/scsi/qla2xxx/qla_init.c 2023-08-08 23:18:46.475286995 > -0500 > @@ -5549,7 +5549,8 @@ static void qla_get_login_template(scsi_ > __be32 *q; > > memset(ha->init_cb, 0, ha->init_cb_size); > - sz = min_t(int, sizeof(struct fc_els_csp), ha->init_cb_size); > + /* At least some firmware requires sz > sizeof(fc_els_csp) */ > + sz = min_t(int, sizeof(struct fc_els_flogi), ha->init_cb_size); > rval = qla24xx_get_port_login_templ(vha, ha->init_cb_dma, > ha->init_cb, sz); > if (rval != QLA_SUCCESS) { > @@ -5560,6 +5561,7 @@ static void qla_get_login_template(scsi_ > q = (__be32 *)&ha->plogi_els_payld.fl_csp; > > bp = (uint32_t *)ha->init_cb; > + sz = min_t(u32, sizeof(struct fc_els_csp), sz); > cpu_to_be32_array(q, bp, sz / 4); > ha->flags.plogi_template_valid = 1; > }
--- a/drivers/scsi/qla2xxx/qla_init.c 2023-08-01 03:46:21.727114453 -0500 +++ b/drivers/scsi/qla2xxx/qla_init.c 2023-08-08 23:18:46.475286995 -0500 @@ -5549,7 +5549,8 @@ static void qla_get_login_template(scsi_ __be32 *q; memset(ha->init_cb, 0, ha->init_cb_size); - sz = min_t(int, sizeof(struct fc_els_csp), ha->init_cb_size); + /* At least some firmware requires sz > sizeof(fc_els_csp) */ + sz = min_t(int, sizeof(struct fc_els_flogi), ha->init_cb_size); rval = qla24xx_get_port_login_templ(vha, ha->init_cb_dma, ha->init_cb, sz); if (rval != QLA_SUCCESS) { @@ -5560,6 +5561,7 @@ static void qla_get_login_template(scsi_ q = (__be32 *)&ha->plogi_els_payld.fl_csp; bp = (uint32_t *)ha->init_cb; + sz = min_t(u32, sizeof(struct fc_els_csp), sz); cpu_to_be32_array(q, bp, sz / 4); ha->flags.plogi_template_valid = 1; }
At least some firmware (for example, QLE2692 FW 8.08.231 (d0d5)) returns MBS_COMMAND_PARAMETER_ERROR when MBC_GET_RNID_PARAMS(RNID_TYPE_PORT_LOGIN) is issued with a transfer length of 4 (DWords). Correct the overrun fix to issue a "normal" transfer length and instead limit copy-out of desired PLOGI data to the space available for it. Fixes: b68710a8094f ("scsi: qla2xxx: Fix buffer overrun") Signed-off-by: "Steven J. Magnani" <magnani@ieee.org> --- ------------------------------------------------------------------------ Steven J. Magnani "I claim this network for MARS! Earthling, return my space modulator!" #include <standard.disclaimer>