Re: [PATCH v2] libfc: sanity check cpu number extracted from xid

Johannes Thumshirn <jthumshirn@xxxxxxx> · Fri, 1 Jul 2016 10:09:49 +0200

On Thu, Jun 30, 2016 at 08:32:36AM -0700, Chris Leech wrote:
> In the receive path libfc extracts a cpu number from the ox_id in the
> fiber channel header and uses that to do a per_cpu_ptr conversion.
> If, for some reason, a frame is received with an invalid ox_id,
> per_cpu_ptr will return an invalid pointer and the libfc receive path
> will panic the system trying to use it.
> 
> I'm currently looking at such a case, and I don't yet know why a
> cpu number > nr_cpu_ids is appearing in an exchange id.  But adding a
> sanity check in libfc prevents a system panic, and seems like good idea
> when dealing with frames coming in from the network.
> 
> Signed-off-by: Chris Leech <cleech@xxxxxxxxxx>
> ---
>  drivers/scsi/libfc/fc_exch.c | 10 +++++++++-
>  1 file changed, 9 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/scsi/libfc/fc_exch.c b/drivers/scsi/libfc/fc_exch.c
> index 30f9ef0..e72673b 100644
> --- a/drivers/scsi/libfc/fc_exch.c
> +++ b/drivers/scsi/libfc/fc_exch.c
> @@ -908,9 +908,17 @@ static struct fc_exch *fc_exch_find(struct fc_exch_mgr *mp, u16 xid)
>  {
>  	struct fc_exch_pool *pool;
>  	struct fc_exch *ep = NULL;
> +	u16 cpu = xid & fc_cpu_mask;
> +
> +	if (cpu >= nr_cpu_ids || !cpu_possible(cpu)) {
> +		printk_ratelimited(KERN_ERR
> +			"libfc: lookup request for XID = %d, "
> +			"indicates invalid CPU %d\n", xid, cpu);
> +		return NULL;
> +	}
>  
>  	if ((xid >= mp->min_xid) && (xid <= mp->max_xid)) {
> -		pool = per_cpu_ptr(mp->pool, xid & fc_cpu_mask);
> +		pool = per_cpu_ptr(mp->pool, cpu);
>  		spin_lock_bh(&pool->lock);
>  		ep = fc_exch_ptr_get(pool, (xid - mp->min_xid) >> fc_cpu_order);
>  		if (ep) {

Acked-by: Johannes Thumshirn <jth@xxxxxxxxxx>

@Martin, do you queue the libfc patches as well?

-- 
Johannes Thumshirn                                          Storage
jthumshirn@xxxxxxx                                +49 911 74053 689
SUSE LINUX GmbH, Maxfeldstr. 5, 90409 Nürnberg
GF: Felix Imendörffer, Jane Smithard, Graham Norton
HRB 21284 (AG Nürnberg)
Key fingerprint = EC38 9CAB C2C4 F25D 8600 D0D0 0393 969D 2D76 0850
--
To unsubscribe from this list: send the line "unsubscribe linux-scsi" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html