* [PATCH 1/1] qla2xxx: Fix unbound NVME response length
@ 2020-01-21 19:15 Himanshu Madhani
2020-01-21 19:19 ` Himanshu Madhani
0 siblings, 1 reply; 2+ messages in thread
From: Himanshu Madhani @ 2020-01-21 19:15 UTC (permalink / raw)
To: James.Bottomley, martin.petersen; +Cc: hmadhani, linux-scsi
From: Arun Easi <aeasi@marvell.com>
On certain cases when response length is less than 32, NVME response data
is supplied inline in IOCB. This is indicated by some combination of state
flags. There was an instance when a high, and incorrect, response length was
indicated causing driver to overrun buffers. Fix this by checking and
limiting the response payload length.
Fixes: 7401bc18d1ee3 ("scsi: qla2xxx: Add FC-NVMe command handling")
Cc: stable@vger.kernel.org
Signed-off-by: Arun Easi <aeasi@marvell.com>
Signed-off-by: Himanshu Madhani <hmadhani@marvell.com>
---
Hi Martin,
We discovered issue with our newer Gen7 adapter when response length
happens to be larger than 32 bytes, could result into crash.
Please apply this to 5.5/scsi-fixes branch at your earliest convenience.
Changes from v3 -> v2
o use "sizeof(struct nvme_fc_ersp_iu)" in missed place.
Changes from v2 -> v3
o Use "sizeof(struct nvme_fc_ersp_iu)" to indicate response payload size.
Changes from v1 -> v2
o Fixed the tag for stable.
o Removed logit which got spilled from other patch to prevent compile failure.
Thanks,
Himanshu
---
drivers/scsi/qla2xxx/qla_isr.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/drivers/scsi/qla2xxx/qla_isr.c b/drivers/scsi/qla2xxx/qla_isr.c
index e7bad0bfffda..4caec94d8e99 100644
--- a/drivers/scsi/qla2xxx/qla_isr.c
+++ b/drivers/scsi/qla2xxx/qla_isr.c
@@ -1939,6 +1939,16 @@ static void qla24xx_nvme_iocb_entry(scsi_qla_host_t *vha, struct req_que *req,
inbuf = (uint32_t *)&sts->nvme_ersp_data;
outbuf = (uint32_t *)fd->rspaddr;
iocb->u.nvme.rsp_pyld_len = le16_to_cpu(sts->nvme_rsp_pyld_len);
+ if (unlikely(iocb->u.nvme.rsp_pyld_len >
+ sizeof(struct nvme_fc_ersp_iu))) {
+ WARN_ONCE(1, "Unexpected response payload length %u.\n",
+ iocb->u.nvme.rsp_pyld_len);
+ ql_log(ql_log_warn, fcport->vha, 0x5100,
+ "Unexpected response payload length %u.\n",
+ iocb->u.nvme.rsp_pyld_len);
+ iocb->u.nvme.rsp_pyld_len =
+ sizeof(struct nvme_fc_ersp_iu);
+ }
iter = iocb->u.nvme.rsp_pyld_len >> 2;
for (; iter; iter--)
*outbuf++ = swab32(*inbuf++);
--
2.12.0
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH 1/1] qla2xxx: Fix unbound NVME response length
2020-01-21 19:15 [PATCH 1/1] qla2xxx: Fix unbound NVME response length Himanshu Madhani
@ 2020-01-21 19:19 ` Himanshu Madhani
0 siblings, 0 replies; 2+ messages in thread
From: Himanshu Madhani @ 2020-01-21 19:19 UTC (permalink / raw)
To: James.Bottomley, martin.petersen; +Cc: linux-scsi
I sent this out prematurely .. please ignore. Will send correct v4 of this patch.
On 1/21/20, 1:15 PM, "Himanshu Madhani" <hmadhani@marvell.com> wrote:
From: Arun Easi <aeasi@marvell.com>
On certain cases when response length is less than 32, NVME response data
is supplied inline in IOCB. This is indicated by some combination of state
flags. There was an instance when a high, and incorrect, response length was
indicated causing driver to overrun buffers. Fix this by checking and
limiting the response payload length.
Fixes: 7401bc18d1ee3 ("scsi: qla2xxx: Add FC-NVMe command handling")
Cc: stable@vger.kernel.org
Signed-off-by: Arun Easi <aeasi@marvell.com>
Signed-off-by: Himanshu Madhani <hmadhani@marvell.com>
---
Hi Martin,
We discovered issue with our newer Gen7 adapter when response length
happens to be larger than 32 bytes, could result into crash.
Please apply this to 5.5/scsi-fixes branch at your earliest convenience.
Changes from v3 -> v2
o use "sizeof(struct nvme_fc_ersp_iu)" in missed place.
Changes from v2 -> v3
o Use "sizeof(struct nvme_fc_ersp_iu)" to indicate response payload size.
Changes from v1 -> v2
o Fixed the tag for stable.
o Removed logit which got spilled from other patch to prevent compile failure.
Thanks,
Himanshu
---
drivers/scsi/qla2xxx/qla_isr.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/drivers/scsi/qla2xxx/qla_isr.c b/drivers/scsi/qla2xxx/qla_isr.c
index e7bad0bfffda..4caec94d8e99 100644
--- a/drivers/scsi/qla2xxx/qla_isr.c
+++ b/drivers/scsi/qla2xxx/qla_isr.c
@@ -1939,6 +1939,16 @@ static void qla24xx_nvme_iocb_entry(scsi_qla_host_t *vha, struct req_que *req,
inbuf = (uint32_t *)&sts->nvme_ersp_data;
outbuf = (uint32_t *)fd->rspaddr;
iocb->u.nvme.rsp_pyld_len = le16_to_cpu(sts->nvme_rsp_pyld_len);
+ if (unlikely(iocb->u.nvme.rsp_pyld_len >
+ sizeof(struct nvme_fc_ersp_iu))) {
+ WARN_ONCE(1, "Unexpected response payload length %u.\n",
+ iocb->u.nvme.rsp_pyld_len);
+ ql_log(ql_log_warn, fcport->vha, 0x5100,
+ "Unexpected response payload length %u.\n",
+ iocb->u.nvme.rsp_pyld_len);
+ iocb->u.nvme.rsp_pyld_len =
+ sizeof(struct nvme_fc_ersp_iu);
+ }
iter = iocb->u.nvme.rsp_pyld_len >> 2;
for (; iter; iter--)
*outbuf++ = swab32(*inbuf++);
--
2.12.0
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2020-01-21 19:19 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-01-21 19:15 [PATCH 1/1] qla2xxx: Fix unbound NVME response length Himanshu Madhani
2020-01-21 19:19 ` Himanshu Madhani
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).