Received: by 2002:a25:1985:0:0:0:0:0 with SMTP id 127csp698568ybz; Fri, 1 May 2020 07:02:02 -0700 (PDT) X-Google-Smtp-Source: APiQypJROF1n5hmoz4vWVI4HDvucOQYH9xS12ZQEl4yYE8b2v+39bvYb/MBr2TJOT5t4sFE/uoVs X-Received: by 2002:a17:907:2168:: with SMTP id rl8mr3179777ejb.360.1588341722391; Fri, 01 May 2020 07:02:02 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1588341722; cv=none; d=google.com; s=arc-20160816; b=GhK8EAY8otG10VHsFUEzTCjxbwMENQM1Nz9EQXQfSyCdFgJTUJVjP6RqA7x/jgByBg 6jP3tj/ZJzt39z3i8Zr2A70J5AIuGBiQnvIqwb1iisRF/asB5ca7pZ8LQSoHJPvjkZ4F t17SC5tZIdbxn+yUwHBVCVqzARAXpsPV8xbPnn+otvO9NEknfuHO95asYB4PcDUiW4DU mZVkumU6U+qrsLVt0QlgxK0Ug92XWfFDi2nppg8YW2ZBiLc6EydKgrpTW78F+vhnTx24 LpDh7SDDRGnZ3vfPtOYwqyt0Z2qAXgbo9/dX8vREcI/nx0sZE2tawkfNiFCJJPE46SGh ymlw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=ObAGeee2eyS1mGTlg9sw14BvbzK8wQi5mIpbxIW+6Po=; b=aROe8ORUwVBSkjuiKIrrUYcEKY6cS3pisx7QxVe7dbDIxxQ5EnB77r9kNr7NkzZ+Rv TcDrXPJ3GAvFQgvoqbWyzRyKfa0rjp6lRB6Jyifs8smKva2txRVjdiAOexZ3Z59ZF2sH F5QUNEjOYiELG+FZdRkC0k0on/eTf0PxBFZQeuG32k+Dwcie7BgsG89l0F0+XVD98Ffz 7f0mffQGRhSgEotQfs2ocV5KeXYIfaDZpcWSYZLYt+jJ933ic3KxmlmBpHBUwiNxGcTz Cjy9fWTlb5UilHSEJwRlZaBXpfgvni5yvh6vFSKZSfceOZlHovjBqlbun4bQEZ6o4zcH TOOA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=VbTVy3pK; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id a17si1790965ejx.485.2020.05.01.07.01.38; Fri, 01 May 2020 07:02:02 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=VbTVy3pK; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730167AbgEANbg (ORCPT + 99 others); Fri, 1 May 2020 09:31:36 -0400 Received: from mail.kernel.org ([198.145.29.99]:56188 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730158AbgEANbe (ORCPT ); Fri, 1 May 2020 09:31:34 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 585582166E; Fri, 1 May 2020 13:31:33 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1588339893; bh=idX8PmflZUNNSTk/f1mwjwKr28IodT3JvA4+evJUmNk=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=VbTVy3pK1J79bx8aOCcMJmwRgREZNuOoHiPKaVyUNcBvQDUyC3jlzFINWBCeGBg/E oIAH6CTTcQh9iiRMk0neoQtw3kSEq+FtYIgWj8ieLIoz8DL/KkGGXiEbBx/8BJNXnQ 5Any2pu//NSgnz9WqloSVmwSzsDOHJhsSmjGR9lU= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, James Smart , Dick Kennedy , "Martin K. Petersen" , Sasha Levin Subject: [PATCH 4.14 009/117] scsi: lpfc: Fix kasan slab-out-of-bounds error in lpfc_unreg_login Date: Fri, 1 May 2020 15:20:45 +0200 Message-Id: <20200501131546.261537898@linuxfoundation.org> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200501131544.291247695@linuxfoundation.org> References: <20200501131544.291247695@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: James Smart [ Upstream commit 38503943c89f0bafd9e3742f63f872301d44cbea ] The following kasan bug was called out: BUG: KASAN: slab-out-of-bounds in lpfc_unreg_login+0x7c/0xc0 [lpfc] Read of size 2 at addr ffff889fc7c50a22 by task lpfc_worker_3/6676 ... Call Trace: dump_stack+0x96/0xe0 ? lpfc_unreg_login+0x7c/0xc0 [lpfc] print_address_description.constprop.6+0x1b/0x220 ? lpfc_unreg_login+0x7c/0xc0 [lpfc] ? lpfc_unreg_login+0x7c/0xc0 [lpfc] __kasan_report.cold.9+0x37/0x7c ? lpfc_unreg_login+0x7c/0xc0 [lpfc] kasan_report+0xe/0x20 lpfc_unreg_login+0x7c/0xc0 [lpfc] lpfc_sli_def_mbox_cmpl+0x334/0x430 [lpfc] ... When processing the completion of a "Reg Rpi" login mailbox command in lpfc_sli_def_mbox_cmpl, a call may be made to lpfc_unreg_login. The vpi is extracted from the completing mailbox context and passed as an input for the next. However, the vpi stored in the mailbox command context is an absolute vpi, which for SLI4 represents both base + offset. When used with a non-zero base component, (function id > 0) this results in an out-of-range access beyond the allocated phba->vpi_ids array. Fix by subtracting the function's base value to get an accurate vpi number. Link: https://lore.kernel.org/r/20200322181304.37655-2-jsmart2021@gmail.com Signed-off-by: James Smart Signed-off-by: Dick Kennedy Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin --- drivers/scsi/lpfc/lpfc_sli.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/scsi/lpfc/lpfc_sli.c b/drivers/scsi/lpfc/lpfc_sli.c index d8e0ba68879c3..480d2d467f7a6 100644 --- a/drivers/scsi/lpfc/lpfc_sli.c +++ b/drivers/scsi/lpfc/lpfc_sli.c @@ -2271,6 +2271,8 @@ lpfc_sli_def_mbox_cmpl(struct lpfc_hba *phba, LPFC_MBOXQ_t *pmb) !pmb->u.mb.mbxStatus) { rpi = pmb->u.mb.un.varWords[0]; vpi = pmb->u.mb.un.varRegLogin.vpi; + if (phba->sli_rev == LPFC_SLI_REV4) + vpi -= phba->sli4_hba.max_cfg_param.vpi_base; lpfc_unreg_login(phba, vpi, rpi, pmb); pmb->vport = vport; pmb->mbox_cmpl = lpfc_sli_def_mbox_cmpl; -- 2.20.1