From: James Smart <jsmart2021@gmail.com>
To: linux-scsi@vger.kernel.org
Cc: James Smart <jsmart2021@gmail.com>,
Dick Kennedy <dick.kennedy@broadcom.com>
Subject: [PATCH 05/14] lpfc: Fix oops due to overrun when reading SLI3 data
Date: Tue, 30 Jun 2020 14:49:52 -0700 [thread overview]
Message-ID: <20200630215001.70793-6-jsmart2021@gmail.com> (raw)
In-Reply-To: <20200630215001.70793-1-jsmart2021@gmail.com>
When using DUMP on SLI3 to read VPD and Port status data (config region
23), the adapter is overruning the kmalloc'd buffer causing havoc on
other consumers of the allocation pools.
Rework the loops processing the dump data and validate/size memory lengths
before performing bcopy's.
Signed-off-by: Dick Kennedy <dick.kennedy@broadcom.com>
Signed-off-by: James Smart <jsmart2021@gmail.com>
---
drivers/scsi/lpfc/lpfc_init.c | 14 ++++++++------
drivers/scsi/lpfc/lpfc_sli.c | 14 +++++++-------
2 files changed, 15 insertions(+), 13 deletions(-)
diff --git a/drivers/scsi/lpfc/lpfc_init.c b/drivers/scsi/lpfc/lpfc_init.c
index 69a5249e007a..287a78185dc7 100644
--- a/drivers/scsi/lpfc/lpfc_init.c
+++ b/drivers/scsi/lpfc/lpfc_init.c
@@ -253,13 +253,15 @@ lpfc_config_port_prep(struct lpfc_hba *phba)
*/
if (mb->un.varDmp.word_cnt == 0)
break;
- if (mb->un.varDmp.word_cnt > DMP_VPD_SIZE - offset)
- mb->un.varDmp.word_cnt = DMP_VPD_SIZE - offset;
+
+ i = mb->un.varDmp.word_cnt * sizeof(uint32_t);
+ if (offset + i > DMP_VPD_SIZE)
+ i = DMP_VPD_SIZE - offset;
lpfc_sli_pcimem_bcopy(((uint8_t *)mb) + DMP_RSP_OFFSET,
- lpfc_vpd_data + offset,
- mb->un.varDmp.word_cnt);
- offset += mb->un.varDmp.word_cnt;
- } while (mb->un.varDmp.word_cnt && offset < DMP_VPD_SIZE);
+ lpfc_vpd_data + offset, i);
+ offset += i;
+ } while (offset < DMP_VPD_SIZE);
+
lpfc_parse_vpd(phba, lpfc_vpd_data, offset);
kfree(lpfc_vpd_data);
diff --git a/drivers/scsi/lpfc/lpfc_sli.c b/drivers/scsi/lpfc/lpfc_sli.c
index 3c61a6d72a1a..c598bef5cad4 100644
--- a/drivers/scsi/lpfc/lpfc_sli.c
+++ b/drivers/scsi/lpfc/lpfc_sli.c
@@ -19347,7 +19347,7 @@ lpfc_sli_get_config_region23(struct lpfc_hba *phba, char *rgn23_data)
LPFC_MBOXQ_t *pmb = NULL;
MAILBOX_t *mb;
uint32_t offset = 0;
- int rc;
+ int i, rc;
if (!rgn23_data)
return 0;
@@ -19377,14 +19377,14 @@ lpfc_sli_get_config_region23(struct lpfc_hba *phba, char *rgn23_data)
*/
if (mb->un.varDmp.word_cnt == 0)
break;
- if (mb->un.varDmp.word_cnt > DMP_RGN23_SIZE - offset)
- mb->un.varDmp.word_cnt = DMP_RGN23_SIZE - offset;
+ i = mb->un.varDmp.word_cnt * sizeof(uint32_t);
+ if (offset + i > DMP_RGN23_SIZE)
+ i = DMP_RGN23_SIZE - offset;
lpfc_sli_pcimem_bcopy(((uint8_t *)mb) + DMP_RSP_OFFSET,
- rgn23_data + offset,
- mb->un.varDmp.word_cnt);
- offset += mb->un.varDmp.word_cnt;
- } while (mb->un.varDmp.word_cnt && offset < DMP_RGN23_SIZE);
+ rgn23_data + offset, i);
+ offset += i;
+ } while (offset < DMP_RGN23_SIZE);
mempool_free(pmb, phba->mbox_mem_pool);
return offset;
--
2.25.0
next prev parent reply other threads:[~2020-06-30 21:50 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-30 21:49 [PATCH 00/14] lpfc: Update lpfc to revision 12.8.0.2 James Smart
2020-06-30 21:49 ` [PATCH 01/14] lpfc: Fix unused assignment in lpfc_sli4_bsg_link_diag_test James Smart
2020-06-30 21:49 ` [PATCH 02/14] lpfc: Fix missing MDS functionality James Smart
2020-06-30 21:49 ` [PATCH 03/14] lpfc: Fix first-burst driver implementation James Smart
2020-07-02 3:05 ` Martin K. Petersen
2020-07-02 5:30 ` James Smart
2020-06-30 21:49 ` [PATCH 04/14] lpfc: Fix NVME rport deregister and registration during ADISC James Smart
2020-06-30 21:49 ` James Smart [this message]
2020-06-30 21:49 ` [PATCH 06/14] lpfc: Fix stack trace seen while setting rrq active James Smart
2020-06-30 21:49 ` [PATCH 07/14] lpfc: Fix shost refcount mismatch when deleting vport James Smart
2020-06-30 21:49 ` [PATCH 08/14] lpfc: Fix kdump hang on PPC James Smart
2020-06-30 21:49 ` [PATCH 09/14] lpfc: Fix language in 0373 message to reflect non-error message James Smart
2020-06-30 21:49 ` [PATCH 10/14] lpfc: Allow applications to issue Common Set Features mailbox command James Smart
2020-06-30 21:49 ` [PATCH 11/14] lpfc: Add support to display if adapter dumps are available James Smart
2020-06-30 21:49 ` [PATCH 12/14] lpfc: Add blk_io_poll support for latency improvment James Smart
2020-06-30 21:50 ` [PATCH 13/14] lpfc: Add an internal trace log buffer James Smart
2020-06-30 21:50 ` [PATCH 14/14] lpfc: Update lpfc version to 12.8.0.2 James Smart
2020-07-03 4:03 ` [PATCH 00/14] lpfc: Update lpfc to revision 12.8.0.2 Martin K. Petersen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200630215001.70793-6-jsmart2021@gmail.com \
--to=jsmart2021@gmail.com \
--cc=dick.kennedy@broadcom.com \
--cc=linux-scsi@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.