Re: [EXT] Re: [PATCH] qla2xxx: Fix unbound NVME response length

[Himanshu Madhani <hmadhani@xxxxxxxxxxx>]

On 1/15/20, 10:12 AM, "Bart Van Assche" <bvanassche@xxxxxxx> wrote:

    External Email
    
    ----------------------------------------------------------------------
    On 1/14/20 6:44 PM, Himanshu Madhani wrote:
    > From: Arun Easi <aeasi@xxxxxxxxxxx>
    > 
    > On certain cases when response length is less than 32, NVME response data
    > is supplied inline in IOCB. This is indicated by some combination of state
    > flags. There was an instance when a high, and incorrect, response length was
    > indicated causing driver to overrun buffers. Fix this by checking and
    > limiting the response payload length.
    > 
    > Fixes: 7401bc18d1ee3 ("scsi: qla2xxx: Add FC-NVMe command handling")
    > Cc: stable@xxxxxxxxxxxxxxx
    > Signed-off-by: Arun Easi <aeasi@xxxxxxxxxxx>
    > Signed-off-by: Himanshu Madhani <hmadhani@xxxxxxxxxxx>
    > ---
    > Hi Martin,
    > 
    > We discovered issue with our newer Gen7 adapter when response length
    > happens to be larger than 32 bytes, could result into crash.
    > 
    > Please apply this to 5.5/scsi-fixes branch at your earliest convenience.
    > 
    > Thanks,
    > Himanshu
    > ---
    >   drivers/scsi/qla2xxx/qla_isr.c | 9 +++++++++
    >   1 file changed, 9 insertions(+)
    > 
    > diff --git a/drivers/scsi/qla2xxx/qla_isr.c b/drivers/scsi/qla2xxx/qla_isr.c
    > index e7bad0bfffda..90e816d13b0e 100644
    > --- a/drivers/scsi/qla2xxx/qla_isr.c
    > +++ b/drivers/scsi/qla2xxx/qla_isr.c
    > @@ -1939,6 +1939,15 @@ static void qla24xx_nvme_iocb_entry(scsi_qla_host_t *vha, struct req_que *req,
    >   		inbuf = (uint32_t *)&sts->nvme_ersp_data;
    >   		outbuf = (uint32_t *)fd->rspaddr;
    >   		iocb->u.nvme.rsp_pyld_len = le16_to_cpu(sts->nvme_rsp_pyld_len);
    > +		if (unlikely(iocb->u.nvme.rsp_pyld_len > 32)) {
    > +			WARN_ONCE(1, "Unexpected response payload length %u.\n",
    > +					iocb->u.nvme.rsp_pyld_len);
    > +			ql_log(ql_log_warn, fcport->vha, 0x5100,
    > +				"Unexpected response payload length %u.\n",
    > +				iocb->u.nvme.rsp_pyld_len);
    > +			iocb->u.nvme.rsp_pyld_len = 32;
    > +			logit = 1;
    > +		}
    >   		iter = iocb->u.nvme.rsp_pyld_len >> 2;
    >   		for (; iter; iter--)
    >   			*outbuf++ = swab32(*inbuf++);
    > 
    
    Please change the constant '32' into sizeof(...) or into a symbolic name.
    
Will do that. Thanks.

    Thanks,
    
    Bart.