From nobody Mon May 25 05:12:30 2026 Received: from mail-qt1-f177.google.com (mail-qt1-f177.google.com [209.85.160.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C457A481FD6 for ; Mon, 18 May 2026 14:09:54 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.160.177 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779113396; cv=none; b=I/6T6VwUyUtZ1/I8RD0lr6Kb7CecEdRxSFfUz9zwWesemaWO8UEMOh7ABoYiIrPzKetX2K2tYEMW6Q4LicgIiA1uec1X1ko8RUanFeZBFbphAF2Uy4qrYbDGgNFxuVwdZzzxP8+hIxjFVSuAFUPJTM0TNVyBUD+EaZ0lbJuPfTg= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779113396; c=relaxed/simple; bh=THmElVxW+1xGlC65m3NTKfeXYXU2Nv6oKr1bGetAz/Q=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=WmcKTXFYnlgVrC7vjiZzRe4ZTo/1YsvsFdENvOubwGGefQvPR8EZuaKC+ajpQ3pGILTnH2xb2ZqzZmXt1RQP2VVxASLLjei/bkYOZ4B85urxnF5mZTjvNNW7tBNZvVNHg+SkwcZU/YxtBKvcnSEG3jqop0FyVTBskG/KpZoKcLQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=AdQF9M+/; arc=none smtp.client-ip=209.85.160.177 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="AdQF9M+/" Received: by mail-qt1-f177.google.com with SMTP id d75a77b69052e-512f750d4b2so30390881cf.1 for ; Mon, 18 May 2026 07:09:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1779113394; x=1779718194; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=JcCkhUrBAXbdWT6IfHUQo8JZZr8OMY5xmgFkJbZZrG4=; b=AdQF9M+/Q1Mj7bjSWEAqxN1vjgk8Dx8JL9Y1thVf5fl1q5VtTVenWs3TCwdoCgRtVf WQKOSFDzPei2F1kB5FK8G2XyeaeQZj183nEURjRwatEa0LmhG8wEPlYQ+B5PSeuTe/EM 4ulL2pqjVrnGYX094Z2R5gAkJE8bVDdjwFKzWSclbEI99/WAA/478p59OyvOyYmCvx9T wOzcXz/DAGAnG50i8hbFH7ozirUCNSthjzPeGGglR3YlOvaCG5USZldUELoPqjlXk/DR tK43/XUXucOgoCxHaqQMD5gc73RnVGP3D6FhC4bTQzjUxpC3TCFzLMXSIzKg/vnTxGJh eCQQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779113394; x=1779718194; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=JcCkhUrBAXbdWT6IfHUQo8JZZr8OMY5xmgFkJbZZrG4=; b=gjJZk90U1CVS0UpUbop/wz6UsqJrTHnzh1ONoVWtTFaX7yBFsu+x8qgp/4jVzjcRfK cgeIwkc8nV3NS26fkELd7uPMajWrq89y5qpSsDcP933hc353kKoiJJepVz7bMhfgk0m+ t2pvxmHTHINNVxf6A9kNbTfChIVIltzhhA+Y2FzCElHh/pYpfu3g4WgNIOuJktnT0zDf 9bw+ZO816pZSMfy0Fr/KK1bRJO6u5udQmHPHRZ/M+aXqpHHyYhvCTjIjubz0MusAbrom 6nIQ9ILZwRztlE8wubF5R5MQJTc7lRwMAqmyEZiiQhLf5/FIyiCIIIIxyfrkFJ01/V23 li0Q== X-Forwarded-Encrypted: i=1; AFNElJ99bFetVwcHx84plf35Hh9Q7Ge6Lj7xmDKW8W9uPbB3Hh8KxyEmXjZrGnTEGYS+NzZkwzBAiAROg+tPruc=@vger.kernel.org X-Gm-Message-State: AOJu0Yw2OlCH7m9svM40OU4j7rruZPZ0GO5U1Y25mR94Htx+jL+yhHou lLeVuoPjN8lQlU+fET88rHN/A3SPmLpLtXUcbj7UWmVJyNPloq+o9GXy X-Gm-Gg: Acq92OHvd9B0XNVEFfUeGI6wS3bcW3XlG84jT6RlUHCs/SAlGnIC7kjc56GbJsvBftv YeSp0V40XUZLkSE9zmkZoB7/jgpHcclfOvAYtinQ0SeL4HICT3tNomPD5VzDU6Hxdsm5Q/EmNvU C3V8reA+BSjtNNTNA+YpQCyYRzm5GzctpBlnAX00XEkxCCDSaReb9TYIE9YU+LyJmSLHaku2vMB vkaAaKdieraq0XUvdJ+kFo2WRyjY+LkRDcZ3dCSf+v6txj03je4SX45ybkAcDMHA2c3plGFIcgS YiGmEylR4mH3YO3CVXTduY6sNicXC0YU1tpijhzc8U7jumuvqC99aFatQMSXFWh2yAC3r2h41Dk KT/NciAu6xRWnlniyM48ci6SBPjcqLa2xvogdMlfmx3RWafpVa0AEIM3Qo0tE/ysLwG7hUbGS12 DOicOxQ43S4345wwSV7ouSbzJPnpnR95nYJ+2l16nXp0X5CinQobvFaormvCr7YaaK1CtapWJtq gYBzwI76T9PjSgqN8TQL+Tu6NtUnE5MlFS5UWhSb5o= X-Received: by 2002:a05:622a:5e13:b0:50b:487c:f3d1 with SMTP id d75a77b69052e-5165a0703b6mr201830211cf.3.1779113392898; Mon, 18 May 2026 07:09:52 -0700 (PDT) Received: from server0.tail6e7dd.ts.net (c-68-48-65-54.hsd1.mi.comcast.net. [68.48.65.54]) by smtp.gmail.com with ESMTPSA id d75a77b69052e-516456888f6sm139477401cf.3.2026.05.18.07.09.51 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 18 May 2026 07:09:52 -0700 (PDT) From: Michael Bommarito To: "Martin K . Petersen" , "James E . J . Bottomley" Cc: Nilesh Javali , Himanshu Madhani , Shyam Sundar , James Smart , Hannes Reinecke , John Meneghini , Bryan Gurney , Justin Tee , Christoph Hellwig , Keith Busch , Kees Cook , linux-scsi@vger.kernel.org, linux-nvme@lists.infradead.org, linux-hardening@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH] scsi: scsi_transport_fc: widen FPIN pname walker counter to u32 Date: Mon, 18 May 2026 10:09:45 -0400 Message-ID: <20260518140945.2751273-2-michael.bommarito@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260518140945.2751273-1-michael.bommarito@gmail.com> References: <20260518140945.2751273-1-michael.bommarito@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" drivers/scsi/scsi_transport_fc.c::fc_fpin_li_stats_update() and fc_fpin_peer_congn_stats_update() walked the on-wire pname_list[] with a u8 loop counter against the 32-bit __be32 pname_count field, and never bounded pname_count by the descriptor body the TLV walker already validated. A fabric-side FPIN sender (the elected fabric controller, a co-tenant N_Port that spoofs S_ID 0xFFFFFD after FLOGI, or a compromised switch supervisor) could hang the FC ELS receive thread of an lpfc or qla2xxx initiator indefinitely by emitting one FPIN ELS frame whose Link-Integrity or Peer-Congestion descriptor sets pname_count to 256, because the u8 counter rolls over and the loop condition i < pname_count stays true for every value i can take. Widen the loop counter to u32 in both walkers and clamp pname_count against the per-descriptor available bytes (desc_len minus the fixed body that precedes pname_list[]) before iterating. A malformed descriptor that claims more entries than its TLV body can hold is rejected by the clamp. Fixes: 3dcfe0de5a97 ("scsi: fc: Parse FPIN packets and update statistics") Cc: stable@vger.kernel.org Assisted-by: Claude:claude-opus-4-7 Signed-off-by: Michael Bommarito --- drivers/scsi/scsi_transport_fc.c | 81 ++++++++++++++++++++------------ 1 file changed, 51 insertions(+), 30 deletions(-) diff --git a/drivers/scsi/scsi_transport_fc.c b/drivers/scsi/scsi_transport= _fc.c index dce95e361daf0..cef0c85693fd4 100644 --- a/drivers/scsi/scsi_transport_fc.c +++ b/drivers/scsi/scsi_transport_fc.c @@ -747,7 +747,7 @@ fc_cn_stats_update(u16 event_type, struct fc_fpin_stats= *stats) static void fc_fpin_li_stats_update(struct Scsi_Host *shost, struct fc_tlv_desc *tlv) { - u8 i; + u32 i, pname_count, max_count, desc_len; struct fc_rport *rport =3D NULL; struct fc_rport *attach_rport =3D NULL; struct fc_host_attrs *fc_host =3D shost_to_fc_host(shost); @@ -764,20 +764,34 @@ fc_fpin_li_stats_update(struct Scsi_Host *shost, stru= ct fc_tlv_desc *tlv) fc_li_stats_update(event_type, &attach_rport->fpin_stats); } =20 - if (be32_to_cpu(li_desc->pname_count) > 0) { - for (i =3D 0; - i < be32_to_cpu(li_desc->pname_count); - i++) { - wwpn =3D be64_to_cpu(li_desc->pname_list[i]); - rport =3D fc_find_rport_by_wwpn(shost, wwpn); - if (rport && - (rport->roles & FC_PORT_ROLE_FCP_TARGET || - rport->roles & FC_PORT_ROLE_NVME_TARGET)) { - if (rport =3D=3D attach_rport) - continue; - fc_li_stats_update(event_type, - &rport->fpin_stats); - } + /* + * Clamp pname_count to the number of pname_list entries + * the descriptor body can actually hold. desc_len + * excludes the desc_tag/desc_len header (FC_TLV_DESC_HDR_SZ), + * so the bytes available for pname_list[] are + * desc_len - sizeof(fixed fields before pname_list[]). + */ + pname_count =3D be32_to_cpu(li_desc->pname_count); + desc_len =3D be32_to_cpu(li_desc->desc_len); + if (desc_len < sizeof(*li_desc) - FC_TLV_DESC_HDR_SZ) + max_count =3D 0; + else + max_count =3D (desc_len - + (sizeof(*li_desc) - FC_TLV_DESC_HDR_SZ)) / + sizeof(li_desc->pname_list[0]); + if (pname_count > max_count) + pname_count =3D max_count; + + for (i =3D 0; i < pname_count; i++) { + wwpn =3D be64_to_cpu(li_desc->pname_list[i]); + rport =3D fc_find_rport_by_wwpn(shost, wwpn); + if (rport && + (rport->roles & FC_PORT_ROLE_FCP_TARGET || + rport->roles & FC_PORT_ROLE_NVME_TARGET)) { + if (rport =3D=3D attach_rport) + continue; + fc_li_stats_update(event_type, + &rport->fpin_stats); } } =20 @@ -827,7 +841,7 @@ static void fc_fpin_peer_congn_stats_update(struct Scsi_Host *shost, struct fc_tlv_desc *tlv) { - u8 i; + u32 i, pname_count, max_count, desc_len; struct fc_rport *rport =3D NULL; struct fc_rport *attach_rport =3D NULL; struct fc_fn_peer_congn_desc *pc_desc =3D @@ -844,20 +858,27 @@ fc_fpin_peer_congn_stats_update(struct Scsi_Host *sho= st, fc_cn_stats_update(event_type, &attach_rport->fpin_stats); } =20 - if (be32_to_cpu(pc_desc->pname_count) > 0) { - for (i =3D 0; - i < be32_to_cpu(pc_desc->pname_count); - i++) { - wwpn =3D be64_to_cpu(pc_desc->pname_list[i]); - rport =3D fc_find_rport_by_wwpn(shost, wwpn); - if (rport && - (rport->roles & FC_PORT_ROLE_FCP_TARGET || - rport->roles & FC_PORT_ROLE_NVME_TARGET)) { - if (rport =3D=3D attach_rport) - continue; - fc_cn_stats_update(event_type, - &rport->fpin_stats); - } + pname_count =3D be32_to_cpu(pc_desc->pname_count); + desc_len =3D be32_to_cpu(pc_desc->desc_len); + if (desc_len < sizeof(*pc_desc) - FC_TLV_DESC_HDR_SZ) + max_count =3D 0; + else + max_count =3D (desc_len - + (sizeof(*pc_desc) - FC_TLV_DESC_HDR_SZ)) / + sizeof(pc_desc->pname_list[0]); + if (pname_count > max_count) + pname_count =3D max_count; + + for (i =3D 0; i < pname_count; i++) { + wwpn =3D be64_to_cpu(pc_desc->pname_list[i]); + rport =3D fc_find_rport_by_wwpn(shost, wwpn); + if (rport && + (rport->roles & FC_PORT_ROLE_FCP_TARGET || + rport->roles & FC_PORT_ROLE_NVME_TARGET)) { + if (rport =3D=3D attach_rport) + continue; + fc_cn_stats_update(event_type, + &rport->fpin_stats); } } } --=20 2.53.0