Received: by 2002:a25:1985:0:0:0:0:0 with SMTP id 127csp4477146ybz; Tue, 28 Apr 2020 11:58:39 -0700 (PDT) X-Google-Smtp-Source: APiQypJla9VPK1FnqbvAnPNKRjx3JaZI+fTor4Lz6SemyxiPrC7PeIsha+YIAS7Fhb/0SzuONBcS X-Received: by 2002:a50:e002:: with SMTP id e2mr7416113edl.179.1588100319607; Tue, 28 Apr 2020 11:58:39 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1588100319; cv=none; d=google.com; s=arc-20160816; b=PaBCOiym+jE+A2JbJXX7vuKRBaBgbufB14/iK8V3T7C9qlgAJhqtnxle/g2/dt4o1D s5deT6/rYOGKSkayyUtFmEsQ+sXsx9ZHPZoXMvGcVlY0mtMlFX9qEKjunTi97AGH7XTL P/Y8sHxGmH+5VOzI5fttO67YL/kIg2utCIyeyZ+sBQqVMbscI5GH50CXahhpuXrfcJUm M7DTbzbWWDhewL+dC2NEVIr9AsNlaAPVUvZ1qki6f/cd+GCQ+IzCosZfbSx3xbkrmiOJ myxEl4yEjTtcaJ4toybbbQwNtACb8zSAzDBwTwaZsZ0XiQShQoswqz9OeKncBMZblBTU SfmQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=6t0jToNGDGlrKnPSH7L0y6R3eu7K8XmO+g2ZIhNe//s=; b=GcGz3xcA0i5aHxOpNVmbjrVt8zAiiGhvTtwcWqZnTg6C6YOlw+oXsX5C1BXXrw1ppN nk2Ho502aGOcfBI/WaexdwTYZE6SU2CwGayqVXKpaN2J06YNEZD45hE1JZN11fTPpKd+ IJ6W8YGm18VPfxzv2R06xMoJGOR0bhDCGkaC6G8tDkJl9i+R2xaysHkusKxNAPJnKxgk Vr/9657wXQhe6gWMVl22SX4/L4wBNlo8VQ0xgrZxosUN5XPDpiZHY9fq5jBj/P2rW+R3 LlFi+uBCdCeUgYhqPv8JABztSidXOJTLk/WUn48tMITPrldFk9hDvwCFErkhZMnYl7iH FGdw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=qT4AfvdQ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id s28si2265667eds.186.2020.04.28.11.58.15; Tue, 28 Apr 2020 11:58:39 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=qT4AfvdQ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730064AbgD1S4Z (ORCPT + 99 others); Tue, 28 Apr 2020 14:56:25 -0400 Received: from mail.kernel.org ([198.145.29.99]:50190 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729139AbgD1Sdk (ORCPT ); Tue, 28 Apr 2020 14:33:40 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 714A720575; Tue, 28 Apr 2020 18:33:39 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1588098819; bh=6mEZQW3tVV+pYxsSyPLVO9StKOLrXqqQ3sxNw0Ue1cY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=qT4AfvdQ12T73/tAKPrOKiCD6PSnFXl6V13nylpJ/i7gCv5X3uJQZw2BKaGie2owL 9iKfq2VNTDugyp1l2tPguvCODgky6h6s4FocG2xjS814Nq9dBPAP5RiTtziJJQnfvk xtWg45n11ggDknlH/V5xZO+z5EpfIfxUkkRESyZE= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, James Smart , Dick Kennedy , "Martin K. Petersen" , Sasha Levin Subject: [PATCH 5.4 010/168] scsi: lpfc: Fix kasan slab-out-of-bounds error in lpfc_unreg_login Date: Tue, 28 Apr 2020 20:23:04 +0200 Message-Id: <20200428182232.972647412@linuxfoundation.org> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200428182231.704304409@linuxfoundation.org> References: <20200428182231.704304409@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: James Smart [ Upstream commit 38503943c89f0bafd9e3742f63f872301d44cbea ] The following kasan bug was called out: BUG: KASAN: slab-out-of-bounds in lpfc_unreg_login+0x7c/0xc0 [lpfc] Read of size 2 at addr ffff889fc7c50a22 by task lpfc_worker_3/6676 ... Call Trace: dump_stack+0x96/0xe0 ? lpfc_unreg_login+0x7c/0xc0 [lpfc] print_address_description.constprop.6+0x1b/0x220 ? lpfc_unreg_login+0x7c/0xc0 [lpfc] ? lpfc_unreg_login+0x7c/0xc0 [lpfc] __kasan_report.cold.9+0x37/0x7c ? lpfc_unreg_login+0x7c/0xc0 [lpfc] kasan_report+0xe/0x20 lpfc_unreg_login+0x7c/0xc0 [lpfc] lpfc_sli_def_mbox_cmpl+0x334/0x430 [lpfc] ... When processing the completion of a "Reg Rpi" login mailbox command in lpfc_sli_def_mbox_cmpl, a call may be made to lpfc_unreg_login. The vpi is extracted from the completing mailbox context and passed as an input for the next. However, the vpi stored in the mailbox command context is an absolute vpi, which for SLI4 represents both base + offset. When used with a non-zero base component, (function id > 0) this results in an out-of-range access beyond the allocated phba->vpi_ids array. Fix by subtracting the function's base value to get an accurate vpi number. Link: https://lore.kernel.org/r/20200322181304.37655-2-jsmart2021@gmail.com Signed-off-by: James Smart Signed-off-by: Dick Kennedy Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin --- drivers/scsi/lpfc/lpfc_sli.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/scsi/lpfc/lpfc_sli.c b/drivers/scsi/lpfc/lpfc_sli.c index 0717e850bcbfd..1692ce913b7f0 100644 --- a/drivers/scsi/lpfc/lpfc_sli.c +++ b/drivers/scsi/lpfc/lpfc_sli.c @@ -2481,6 +2481,8 @@ lpfc_sli_def_mbox_cmpl(struct lpfc_hba *phba, LPFC_MBOXQ_t *pmb) !pmb->u.mb.mbxStatus) { rpi = pmb->u.mb.un.varWords[0]; vpi = pmb->u.mb.un.varRegLogin.vpi; + if (phba->sli_rev == LPFC_SLI_REV4) + vpi -= phba->sli4_hba.max_cfg_param.vpi_base; lpfc_unreg_login(phba, vpi, rpi, pmb); pmb->vport = vport; pmb->mbox_cmpl = lpfc_sli_def_mbox_cmpl; -- 2.20.1