From nobody Sun Feb  8 05:35:30 2026
Received: from mail-ot1-f48.google.com (mail-ot1-f48.google.com
 [209.85.210.48])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 707DD301472
	for <linux-kernel@vger.kernel.org>; Tue,  6 Jan 2026 20:53:49 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.210.48
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1767732833; cv=none;
 b=RifWuMvrEkp5M4yw+Aclh6pmqPOpD5hPmhDpyhHkuYb6S7X2TXmPSCnGYJQnYU9Npsa2Fo6lOiSl01uMSjyuk/Lq872B8xGBIpvys7FFostK6m2ZjXlNrwEBFFkGUTmvmVMooTaEYQvPnL/CfL7YqXJMgiKbeguyCEw9KUxwtKs=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1767732833; c=relaxed/simple;
	bh=dbQZWZ6djGesZyoyGZQ7YrW0hIP7fv2ICVb0g2gVjBo=;
	h=From:To:Cc:Subject:Date:Message-Id:MIME-Version;
 b=elbL55DeZmymAyLYR9mxHjoQsKCilSibbFE/ekypOWrhim9xHYICiZBuHao8cVA6RXkxw6JtCzkuR3TjRCEqvoqA+uax+L34cjeCJOMmEAnCx025HNClnvnJbSjkDp8/XFejgPpawJCi+lWb/7shrYYdlSXsFrIZgOR5XkusQ/4=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=dRAo7jzR; arc=none smtp.client-ip=209.85.210.48
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="dRAo7jzR"
Received: by mail-ot1-f48.google.com with SMTP id
 46e09a7af769-7c7503c73b4so739231a34.3
        for <linux-kernel@vger.kernel.org>;
 Tue, 06 Jan 2026 12:53:48 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1767732828; x=1768337628;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=C37GUE4jCe8eFCg/55C2xhu6ydcXSckS06PD0UKDC/A=;
        b=dRAo7jzRt/hpOzQrdh4Ngn1+WiMMarMskzruXa80kC7pplRcroXw+16VL8crNaKRlu
         2js1/+h0b/4balTlT/6LCiML3kVLH/ohBbfBLVKZ0Dhf3HyD+DAieyf8/iia/SAGv/UA
         qknOJTVDfUSbmjLoPP2fiVq4nhAwSyfuR9a84kvFT7v9NVlF+ugLspqpkRrU/VFuigwj
         aOlQhhQ/mHsF8YTl2UDS27G+8kS8/Bs9h4AW0cctO5C8FvpeKnvo6QenrIYEpuxHc5gV
         hzg5BMltAHkd0oAmNRO9O0FrI4bPOXRZ0AHv6FCZ8kxMXhNulyiNMQSi820YumQFkzsf
         hDVQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1767732828; x=1768337628;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=C37GUE4jCe8eFCg/55C2xhu6ydcXSckS06PD0UKDC/A=;
        b=Nw7Hr0gvtRCmuwmAOj0uDECIv/atdgogOmojMy5nF7gGwT7SxNg0J3plR9+W/uqBlG
         cY604Y8uEHFJ8uHDPpAXhdlhWMoIPbdM8qNgnd1Qa5Kzeovu04YMiZjrAEaeEbdgphcV
         RsoKCP4J+Le3InfHDqyMB15Z4X1FHfZxJ0m0wk4+kUkHjXO3giQZkr1KmyUSoQRN+mIg
         BLgFyJeyRIkIbnYcNJRDt1h5yLl+3mbps7e4d+eAAlOKLEifC4l4DYaoP2gRFoRdTRL2
         JP0jCvg2LEgrNh+Rql3mhGRpkpGf6nvYOG3v0fczv7isguDpkrTsSFsafpvw4OOxzScQ
         83tA==
X-Forwarded-Encrypted: i=1;
 AJvYcCVSreMLOutethW5OCoWFxXvmIA64RUDtL0XvFbVU15nr2h4MPP6FERdWZ5FPR1F0xrr8n/h3t2f2FvPz5o=@vger.kernel.org
X-Gm-Message-State: AOJu0Ywzfe9eMVbK6+sJDwEQZyWrbKCluy0zc+/Uvbvd9EPN8131OCNj
	z4XuZsAwLdsteA13AMJDzrW6a5aF36h0QOtWrZPHXF8mcKt9gcVbpTYS
X-Gm-Gg: AY/fxX5SUQjCozpVazXv1J6e6x4FXHxhydWHgcNLFmqC8+FYyTUONiVSQ1lzw2L0RLf
	SDY5S9y13/15FDJ0Fpfm77kbWeW8ZwvSko6U+cTBGu1WYREG8AnKARF4F6z+PfM5IMjUw/H4Eki
	KaBNAfrU283vCzUDCjb3jGd36Iubtk+QsJYqTvJcoSsqkOae49A2vdx85i5MqK0HVXMDfOr/ZvX
	lffR0T0fL5trJlpp3XktaRNlwYxlEhYMviRmMBIrlGihS+2OBh/VRwBREKowhG8N/kUu71PgFmP
	tt8r0qXb4bfBTXdR6T7TJ1HdamnH/OPVoNtIpAcU+rEff50mKPmlcScmtEL6zH1jbKDqvksIEGm
	ty63T5UgE10l/t2M3Ctvkq8u898IhAzw53ifpKuJMSIKsxQ7T4wJTHcAIyzbv9vhGDGKRuV8EqG
	O2IEZHXHqNPdLWTNuX0EnyuEOhMD3WMMt1
X-Google-Smtp-Source: 
 AGHT+IFBhdEustKWoHi64qrC1V/En3a79yESg/gNp5iJ2nASZtF+k7/swYxDkjmWYtcZnfS1qxM1Jw==
X-Received: by 2002:a05:6830:718c:b0:743:8af2:1af7 with SMTP id
 46e09a7af769-7ce50a02054mr300216a34.23.1767732827757;
        Tue, 06 Jan 2026 12:53:47 -0800 (PST)
Received: from newman.cs.purdue.edu ([128.10.127.250])
        by smtp.gmail.com with ESMTPSA id
 46e09a7af769-7ce4781c286sm2182707a34.8.2026.01.06.12.53.46
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 06 Jan 2026 12:53:47 -0800 (PST)
From: Jiasheng Jiang <jiashengjiangcool@gmail.com>
To: Nilesh Javali <njavali@marvell.com>,
	GR-QLogic-Storage-Upstream@marvell.com,
	"James E . J . Bottomley" <James.Bottomley@HansenPartnership.com>,
	"Martin K . Petersen" <martin.petersen@oracle.com>
Cc: Himanshu Madhani <himanshu.madhani@oracle.com>,
	Manish Rangankar <mrangankar@marvell.com>,
	linux-scsi@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	Jiasheng Jiang <jiashengjiangcool@gmail.com>
Subject: [PATCH] scsi: qla2xxx: sanitize payload size to prevent member
 overflow
Date: Tue,  6 Jan 2026 20:53:44 +0000
Message-Id: <20260106205344.18031-1-jiashengjiangcool@gmail.com>
X-Mailer: git-send-email 2.25.1
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

In qla27xx_copy_fpin_pkt() and qla27xx_copy_multiple_pkt(), the
frame_size reported by firmware is used to calculate the copy length
into item->iocb. However, the iocb member is defined as a fixed-size
64-byte array within struct purex_item.

If the reported frame_size exceeds 64 bytes, subsequent memcpy calls
will overflow the iocb member boundary. While extra memory might be
allocated, this cross-member write is unsafe and triggers warnings
under CONFIG_FORTIFY_SOURCE.

Fix this by capping total_bytes to the size of the iocb member (64 bytes)
before allocation and copying. This ensures all copies remain within
the bounds of the destination structure member.

Fixes: 875386b98857 ("scsi: qla2xxx: Add Unsolicited LS Request and Respons=
e Support for NVMe")
Signed-off-by: Jiasheng Jiang <jiashengjiangcool@gmail.com>
Reviewed-by: Himanshu Madhani <hmadhani2024@gmail.com>
---
 drivers/scsi/qla2xxx/qla_isr.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/drivers/scsi/qla2xxx/qla_isr.c b/drivers/scsi/qla2xxx/qla_isr.c
index a3971afc2dd1..a04a5aa0d005 100644
--- a/drivers/scsi/qla2xxx/qla_isr.c
+++ b/drivers/scsi/qla2xxx/qla_isr.c
@@ -878,6 +878,9 @@ qla27xx_copy_multiple_pkt(struct scsi_qla_host *vha, vo=
id **pkt,
 		payload_size =3D sizeof(purex->els_frame_payload);
 	}
=20
+	if (total_bytes > sizeof(item->iocb.iocb))
+		total_bytes =3D sizeof(item->iocb.iocb);
+
 	pending_bytes =3D total_bytes;
 	no_bytes =3D (pending_bytes > payload_size) ? payload_size :
 		   pending_bytes;
@@ -1163,6 +1166,10 @@ qla27xx_copy_fpin_pkt(struct scsi_qla_host *vha, voi=
d **pkt,
=20
 	total_bytes =3D (le16_to_cpu(purex->frame_size) & 0x0FFF)
 	    - PURX_ELS_HEADER_SIZE;
+
+	if (total_bytes > sizeof(item->iocb.iocb))
+		total_bytes =3D sizeof(item->iocb.iocb);
+
 	pending_bytes =3D total_bytes;
 	entry_count =3D entry_count_remaining =3D purex->entry_count;
 	no_bytes =3D (pending_bytes > sizeof(purex->els_frame_payload))  ?
--=20
2.25.1