Received: by 2002:a25:1506:0:0:0:0:0 with SMTP id 6csp3689149ybv;
        Mon, 10 Feb 2020 04:45:20 -0800 (PST)
X-Google-Smtp-Source: APXvYqzjWfxcnvoQLckm5QOWluAuKD3xPyX7JP9HAEJ3A/eTgRKruLaL7o672fRdzdBgZKHCmPlR
X-Received: by 2002:a9d:4541:: with SMTP id p1mr919767oti.199.1581338720301;
        Mon, 10 Feb 2020 04:45:20 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1581338720; cv=none;
        d=google.com; s=arc-20160816;
        b=WWpF4Nxeb9Y5GxoCsXtd6PsxzVxYPmdMYiAGtICTWMcSMfpoShFEjnKSiBakHPiZmw
         AHuF+8Dj1S468oxCbZbWBH4Os+uQFP41M+K2KnyRFOQgs+QcdgWEuvvhvHIGeJiaXwXU
         cr6nSZa6KPQUy5vgPk9qX1a4BL6E/9L1Gx08zOe/f0yF5aLsMXqYsXpG+Va2Y91Ckc2c
         GWfXbtxxBHHlin0tVQdzAHZI/QyIWZkSmokjEeHsbJuFrSeju1VWvVkdefGZSzhHp0hB
         b1lz27vHYzBHVEbpuNrL/LBLLFIGr7RKlSG80fscBIme3ITqsvCHaZHuYWd5NoWU6n3U
         X/Hw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=jXQRY/RpVm/i0xcKZmfA+mPJpa+8RyVwnZyTUDUPEJQ=;
        b=Nph/c239C0nHh/fHui51bxNdciEcN5CWcD2n9CU1WOCsaU9oKy5r/TLL+yvVE7AzE9
         j5RzwNA373bYK8puCRHoHROwp4iJNYjxZa8ph+TXhLSPBKqEklzikEfc+bDG8G3GYD57
         AxLYkZ4bpbFMjPXyWdxkjO243WZmgs62Uwo96JaRwYqAj+kbe0WDv/lJt/EGERycQzab
         AXQd+9a/R1FUDvT/t0+hWLhnRNrBetj2SjZ5CUS+KbnSSEqk0sBrwaCr90Qr7Y0wN5PO
         RoF+EK96ojEu50hf1C9tiLP9Ref9OJPpnSpjqoQPn+zSd9FMkFKr/X04G6zz3CukQm1E
         Jt/g==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=gSnFJjZL;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id p28si136440oth.296.2020.02.10.04.45.08;
        Mon, 10 Feb 2020 04:45:20 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=gSnFJjZL;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1730295AbgBJMox (ORCPT <rfc822;luizmacielfranco@gmail.com>
        + 99 others); Mon, 10 Feb 2020 07:44:53 -0500
Received: from mail.kernel.org ([198.145.29.99]:41428 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1729255AbgBJMkr (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 10 Feb 2020 07:40:47 -0500
Received: from localhost (unknown [209.37.97.194])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id 9A4DB2468C;
        Mon, 10 Feb 2020 12:40:46 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1581338446;
        bh=YuC1EuvkqP1crUOeP+W/sOrbmT6vDH2ontQwxi980VY=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=gSnFJjZLB0E3W7VbA8Ek8O1eX31jo7tqgOONjFQT/ei2YKtcvMirrl92Y0hjsqRcd
         b1F1trPqbeIYNX2nR7qy8ykZXR8ao0Gu5A/IqPgiCYOCgibvsMDxQgSmZE8IuOp8Jh
         qDzra3FuXdzdvZ6CU5927LYZdvEQGK7k+yCz08jg=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Arun Easi <aeasi@marvell.com>,
        Himanshu Madhani <hmadhani@marvell.com>,
        "Ewan D. Milne" <emilne@redhat.com>,
        "Martin K. Petersen" <martin.petersen@oracle.com>
Subject: [PATCH 5.5 188/367] scsi: qla2xxx: Fix unbound NVME response length
Date:   Mon, 10 Feb 2020 04:31:41 -0800
Message-Id: <20200210122441.989530082@linuxfoundation.org>
X-Mailer: git-send-email 2.25.0
In-Reply-To: <20200210122423.695146547@linuxfoundation.org>
References: <20200210122423.695146547@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Arun Easi <aeasi@marvell.com>

commit 00fe717ee1ea3c2979db4f94b1533c57aed8dea9 upstream.

On certain cases when response length is less than 32, NVME response data
is supplied inline in IOCB. This is indicated by some combination of state
flags. There was an instance when a high, and incorrect, response length
was indicated causing driver to overrun buffers. Fix this by checking and
limiting the response payload length.

Fixes: 7401bc18d1ee3 ("scsi: qla2xxx: Add FC-NVMe command handling")
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20200124045014.23554-1-hmadhani@marvell.com
Signed-off-by: Arun Easi <aeasi@marvell.com>
Signed-off-by: Himanshu Madhani <hmadhani@marvell.com>
Reviewed-by: Ewan D. Milne <emilne@redhat.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/scsi/qla2xxx/qla_dbg.c |    6 ------
 drivers/scsi/qla2xxx/qla_dbg.h |    6 ++++++
 drivers/scsi/qla2xxx/qla_isr.c |   12 ++++++++++++
 3 files changed, 18 insertions(+), 6 deletions(-)

--- a/drivers/scsi/qla2xxx/qla_dbg.c
+++ b/drivers/scsi/qla2xxx/qla_dbg.c
@@ -2519,12 +2519,6 @@ qla83xx_fw_dump_failed:
 /*                         Driver Debug Functions.                          */
 /****************************************************************************/
 
-static inline int
-ql_mask_match(uint level)
-{
-	return (level & ql2xextended_error_logging) == level;
-}
-
 /*
  * This function is for formatting and logging debug information.
  * It is to be used when vha is available. It formats the message
--- a/drivers/scsi/qla2xxx/qla_dbg.h
+++ b/drivers/scsi/qla2xxx/qla_dbg.h
@@ -374,3 +374,9 @@ extern int qla24xx_dump_ram(struct qla_h
 extern void qla24xx_pause_risc(struct device_reg_24xx __iomem *,
 	struct qla_hw_data *);
 extern int qla24xx_soft_reset(struct qla_hw_data *);
+
+static inline int
+ql_mask_match(uint level)
+{
+	return (level & ql2xextended_error_logging) == level;
+}
--- a/drivers/scsi/qla2xxx/qla_isr.c
+++ b/drivers/scsi/qla2xxx/qla_isr.c
@@ -1918,6 +1918,18 @@ static void qla24xx_nvme_iocb_entry(scsi
 		inbuf = (uint32_t *)&sts->nvme_ersp_data;
 		outbuf = (uint32_t *)fd->rspaddr;
 		iocb->u.nvme.rsp_pyld_len = le16_to_cpu(sts->nvme_rsp_pyld_len);
+		if (unlikely(iocb->u.nvme.rsp_pyld_len >
+		    sizeof(struct nvme_fc_ersp_iu))) {
+			if (ql_mask_match(ql_dbg_io)) {
+				WARN_ONCE(1, "Unexpected response payload length %u.\n",
+				    iocb->u.nvme.rsp_pyld_len);
+				ql_log(ql_log_warn, fcport->vha, 0x5100,
+				    "Unexpected response payload length %u.\n",
+				    iocb->u.nvme.rsp_pyld_len);
+			}
+			iocb->u.nvme.rsp_pyld_len =
+			    sizeof(struct nvme_fc_ersp_iu);
+		}
 		iter = iocb->u.nvme.rsp_pyld_len >> 2;
 		for (; iter; iter--)
 			*outbuf++ = swab32(*inbuf++);