Received: by 2002:a25:1985:0:0:0:0:0 with SMTP id 127csp1727891ybz; Sat, 18 Apr 2020 07:16:59 -0700 (PDT) X-Google-Smtp-Source: APiQypKc6WQKKP02NCPSKcEnhmp960KxGz4Mm/7nXRyDdRVG0OB1XfoYDvJtI++FmOQlEhPejHuE X-Received: by 2002:a17:907:9481:: with SMTP id dm1mr8196164ejc.9.1587219419831; Sat, 18 Apr 2020 07:16:59 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1587219419; cv=none; d=google.com; s=arc-20160816; b=jeDX76F/SZZWbRKtQRUVmvLNUZMUYxwKJU4J7H4DqgMA3NLfk/I7Ec1veBiRFMq5lW OjmewBq8f6DIPdSRtsMAukkRP8smBP9ARqBqJHaEkgfCjAdn4VR44WI0Ys0xDrgbrCUK p4vpGlJMk9xEUScEZq7G3i4M9W2+1Ybe1Et3b/Wzgi6dgoeGCAm7AIgIX4EKc+LIlAKY rE3HZ3wEu+75zzcafCkfY6VQlIO+h9piEhGSjzrc9o2RqIxnG8TL7HskeszaygzLxyeA PJeTxrTt7u1tpB/mWTqjNyGmRChxIH2fxUgpJX0Zhl84zgO/y6wakfsZPcGIzjqWdBQl Akzw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=deyQT/iFv87E+kGl+xvr7Jr+VksbNG6GVN2KN8E1eUU=; b=KaV8PaHxipPwuI7LDDFS+9Es37QRMF2W0zs4L67nyIgV/R+1l3t+7EC6Q3nG5c1/SU 28Mp1OgyqknXC7xu8QD3Yxw847H7Xql0tyxAyE5PTPq5O0wsKt5f00Ww6/P83rMckiUN g5ULzOfEbk9xAhW63Hh7WGwI4wzsNbeRk05uAeuprkT9IVInSYmROygIN9LfDIOGWPy9 F3zY7zNYQ94EaIcZbwWS1K0ctqJp+UgzY//fuwcNGxkVRUSFlLPYwiV/pY9UG3nlNaTY hLTujhjT1lJE7a10QzHqAJodXnY4Ji1Ze3PFGU2qXL/Ewlr1DVxxv0c0SZZ/D4wu9A3V uoVg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=BGrFudvb; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id p16si7825914ejd.448.2020.04.18.07.16.37; Sat, 18 Apr 2020 07:16:59 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=BGrFudvb; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727859AbgDROOX (ORCPT + 99 others); Sat, 18 Apr 2020 10:14:23 -0400 Received: from mail.kernel.org ([198.145.29.99]:36644 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726160AbgDROJV (ORCPT ); Sat, 18 Apr 2020 10:09:21 -0400 Received: from sasha-vm.mshome.net (c-73-47-72-35.hsd1.nh.comcast.net [73.47.72.35]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id A6A0021D79; Sat, 18 Apr 2020 14:09:19 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1587218960; bh=UhO+c8x0n3sXediqtPcDrQZozTjEpSVLq5Vr1OpONAg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=BGrFudvbpnisReOHoc4zPVZvELZJP02Dqad/6Y7AaOkbcZ8U+kLEueOrlvhBIgeJx B6t4KoOqrRfxct+s+YEjPwGyZ24VpVsfw4V8KoZGx4uq7Lxthq4xYUccZ/Az3/s/8C H6co/Flsg58sVzliw9oCOd0AWcMDs5+NPrXdt+XY= From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: James Smart , Dick Kennedy , "Martin K . Petersen" , Sasha Levin , linux-scsi@vger.kernel.org Subject: [PATCH AUTOSEL 5.5 08/75] scsi: lpfc: Fix kasan slab-out-of-bounds error in lpfc_unreg_login Date: Sat, 18 Apr 2020 10:08:03 -0400 Message-Id: <20200418140910.8280-8-sashal@kernel.org> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20200418140910.8280-1-sashal@kernel.org> References: <20200418140910.8280-1-sashal@kernel.org> MIME-Version: 1.0 X-stable: review X-Patchwork-Hint: Ignore Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: James Smart [ Upstream commit 38503943c89f0bafd9e3742f63f872301d44cbea ] The following kasan bug was called out: BUG: KASAN: slab-out-of-bounds in lpfc_unreg_login+0x7c/0xc0 [lpfc] Read of size 2 at addr ffff889fc7c50a22 by task lpfc_worker_3/6676 ... Call Trace: dump_stack+0x96/0xe0 ? lpfc_unreg_login+0x7c/0xc0 [lpfc] print_address_description.constprop.6+0x1b/0x220 ? lpfc_unreg_login+0x7c/0xc0 [lpfc] ? lpfc_unreg_login+0x7c/0xc0 [lpfc] __kasan_report.cold.9+0x37/0x7c ? lpfc_unreg_login+0x7c/0xc0 [lpfc] kasan_report+0xe/0x20 lpfc_unreg_login+0x7c/0xc0 [lpfc] lpfc_sli_def_mbox_cmpl+0x334/0x430 [lpfc] ... When processing the completion of a "Reg Rpi" login mailbox command in lpfc_sli_def_mbox_cmpl, a call may be made to lpfc_unreg_login. The vpi is extracted from the completing mailbox context and passed as an input for the next. However, the vpi stored in the mailbox command context is an absolute vpi, which for SLI4 represents both base + offset. When used with a non-zero base component, (function id > 0) this results in an out-of-range access beyond the allocated phba->vpi_ids array. Fix by subtracting the function's base value to get an accurate vpi number. Link: https://lore.kernel.org/r/20200322181304.37655-2-jsmart2021@gmail.com Signed-off-by: James Smart Signed-off-by: Dick Kennedy Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin --- drivers/scsi/lpfc/lpfc_sli.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/scsi/lpfc/lpfc_sli.c b/drivers/scsi/lpfc/lpfc_sli.c index 625c046ac4efa..993b1056beb83 100644 --- a/drivers/scsi/lpfc/lpfc_sli.c +++ b/drivers/scsi/lpfc/lpfc_sli.c @@ -2511,6 +2511,8 @@ lpfc_sli_def_mbox_cmpl(struct lpfc_hba *phba, LPFC_MBOXQ_t *pmb) !pmb->u.mb.mbxStatus) { rpi = pmb->u.mb.un.varWords[0]; vpi = pmb->u.mb.un.varRegLogin.vpi; + if (phba->sli_rev == LPFC_SLI_REV4) + vpi -= phba->sli4_hba.max_cfg_param.vpi_base; lpfc_unreg_login(phba, vpi, rpi, pmb); pmb->vport = vport; pmb->mbox_cmpl = lpfc_sli_def_mbox_cmpl; -- 2.20.1