Hello Sathya, thanks for the comment. On Dec 12, 2022 / 22:38, Sathya Prakash Veerichetty wrote: > On Mon, Dec 12, 2022 at 5:52 PM Shin'ichiro Kawasaki > <shinichiro.kawasaki@xxxxxxx> wrote: > > > > The function mpi3mr_get_all_tgt_info calculates size of alltgt_info and > > allocate memory for it. After preparing valid data in alltgt_info, it > > calls sg_copy_from_buffer to copy alltgt_info to job->request_payload, > > specifying length of the payload as copy length. This length is larger > > than the calculated alltgt_info size. It causes memory access to invalid > > address and results in "BUG: KASAN: slab-out-of-bounds". The BUG was > > observed during boot using systems with eHBA-9600. By updating the HBA > > firmware to latest version 8.3.1.0 the BUG was not observed during boot, > > but still observed when command "storcli2 /c0 show" is executed. > > > > Fix the BUG by specifying the calculated alltgt_info size as copy > > length. Also check that the copy destination payload length is larger > > than the copy length. > > > > Fixes: f5e6d5a34376 ("scsi: mpi3mr: Add support for driver commands") > > Cc: stable@xxxxxxxxxxxxxxx > > Signed-off-by: Shin'ichiro Kawasaki <shinichiro.kawasaki@xxxxxxx> > > Reviewed-by: Damien Le Moal <damien.lemoal@xxxxxxxxxxxxxxxxxx> > > Thanks for the patch, though this code needs a fix, the changes are > not correct and needs modification. > > --- > > drivers/scsi/mpi3mr/mpi3mr_app.c | 9 ++++++++- > > 1 file changed, 8 insertions(+), 1 deletion(-) > > > > diff --git a/drivers/scsi/mpi3mr/mpi3mr_app.c b/drivers/scsi/mpi3mr/mpi3mr_app.c > > index 9baac224b213..2e35b0fece9c 100644 > > --- a/drivers/scsi/mpi3mr/mpi3mr_app.c > > +++ b/drivers/scsi/mpi3mr/mpi3mr_app.c > > @@ -322,6 +322,13 @@ static long mpi3mr_get_all_tgt_info(struct mpi3mr_ioc *mrioc, > > > > kern_entrylen = (num_devices - 1) * sizeof(*devmap_info); > > size = sizeof(*alltgt_info) + kern_entrylen; > > + > > + if (size > job->request_payload.payload_len) { > > + dprint_bsg_err(mrioc, "%s: payload length is too small\n", > > + __func__); > > + return rval; > > + } > > + > This check is not needed, this is already handled by reducing the size > to be copied to the given payload size Ah, I see that min_entrylen is prepared to copy bytes smaller than the payload size. > > alltgt_info = kzalloc(size, GFP_KERNEL); > > if (!alltgt_info) > > return -ENOMEM; > > @@ -358,7 +365,7 @@ static long mpi3mr_get_all_tgt_info(struct mpi3mr_ioc *mrioc, > > > > sg_copy_from_buffer(job->request_payload.sg_list, > > job->request_payload.sg_cnt, > > - alltgt_info, job->request_payload.payload_len); > > + alltgt_info, size); > instead of size, this should be min_entry_len+sizeof(u32). Thanks for the comment. I read through mpi3mr_get_all_tgt_info() again. I still have three unclear points. Your comments on them will be appreciated. 1) copy length The pointer alltgt_info points to the struct below, which is defined in include/uapi/scsi/scsi_bsg_mpi3mr.h (I refer kernel code at v6.1): struct mpi3mr_all_tgt_info { __u16 num_devices; __u16 rsvd1; __u32 rsvd2; struct mpi3mr_device_map_info dmi[1]; }; When we copy "min_entrylen+sizeof(u32)", it looks for me that the struct is copied partially. The expected length is as follows, isn't it? "min_entrylen + sizeof(u16) + sizeof(u16) + sizeof(u32)" Regarding the min_entrylen, I find code in mpi3mr_get_all_tgt_info: usr_entrylen = (job->request_payload.payload_len - sizeof(u32)) / sizeof(*devmap_info); usr_entrylen *= sizeof(*devmap_info); min_entrylen = min(usr_entrylen, kern_entrylen); The usr_entrylen calculation subtracts sizeof(u32). I guess the line also needs change to subtract sizeof(u16) + sizeof(u16) + sizeof(u32). 2) kern_entrylen usr_entrylen is compared with kern_entrylen to get min_etnrylen. And kern_entrylen covers (num_devices - 1) entries: kern_entrylen = (num_devices - 1) * sizeof(*devmap_info); size = sizeof(*alltgt_info) + kern_entrylen; Is it ok to cover only (num_devices - 1) for comparison with usr_entrylen? Don't we need to cover all num_devices? 3) memcpy from devmap_info to alltgt_info->dmi Also regarding the min_entrylen, I find a line below: if (min_entrylen && (!memcpy(&alltgt_info->dmi, devmap_info, min_entrylen))) { The memcpy copies data from devmap_info to alltgt_inf->dmi, but it looks for me that these two points to same address. Do we really need this memcpy? I'm new to the mpi3mr driver. If I overlook or misunderstand anything, please let me know. -- Shin'ichiro Kawasaki