From nobody Mon May 25 05:12:27 2026 Received: from mail-qt1-f169.google.com (mail-qt1-f169.google.com [209.85.160.169]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 75B0B30F545 for ; Mon, 18 May 2026 14:37:12 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.160.169 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779115034; cv=none; b=F84H98vrcjNczfjNgZnsSDFxxjWhCI93Yld8U8m3iuV4+jk+uNKb60kWBeoy/f2tXw1rzUrLzcIq91N+ayyyHLqhIPahO5FbZUkxlbFYQk5NDnEBZnODJpRTuiqJ+aQrsMkiZ1naBWIxrDhRaQ5fMtL0nwSk/9efLclyHuoMtHE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779115034; c=relaxed/simple; bh=QKtDY3LLPN0iqcBYUIpG1gwwPfRppvyhEdYgjVlJ5zM=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=msV6w4sb4bfYVxfoeOrp6le0u2NWbGMmmqC3wSOGvgxEtwwnAg128oniDDmG4b1VGoX5HzNMi1xW6XkMu3Vq/Jv3w+pIHoUhRFbS0OE829EoYm1Bm/fcX6EFG0krAXCmUCEHuhhVsATjIcs2xGk8K2vKOpcXaWUPSQ20SdUDbVk= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=lYKecKP7; arc=none smtp.client-ip=209.85.160.169 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="lYKecKP7" Received: by mail-qt1-f169.google.com with SMTP id d75a77b69052e-51306c36c3eso29711251cf.0 for ; Mon, 18 May 2026 07:37:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1779115031; x=1779719831; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=3Dh1s6OdAS1PfBEWRup+gzc+11JwMqjGvirdDEgh7WY=; b=lYKecKP7W3Te7wHyW0MMddxp2um3EqJarRjXoe2OxCM7X+v1VjUAmM5/HR9ubOeBn/ KjQrJk9xbe/Sq7RdFInMkYffLqEg/oKoZXAEOuTMZXZtG0cvJUWjaKxHtWrY3mdus1du o8bJvwyToJgmRiPxmu0ngi6zVpRvZskFL23WfmsWoK2DsN+6+ZitweHsrCXfV0M6/vr0 Q3CMVg5/k2TvNLDDkgXz7zo4GuMx62icg3Jb0hhxPd8KRtnn7PTjQ8m0oAG5S8+WF7CA StEtiHITQbinEtEq9n9ke6Ci1ijMtIiEvE+JA18bkchP/dVLZHh1eEstP/tFhDQgYTae 1BOg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779115031; x=1779719831; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=3Dh1s6OdAS1PfBEWRup+gzc+11JwMqjGvirdDEgh7WY=; b=JHJE4jwipoKBechzOUCxfFVUBjk+1uoMvMJfhffyU9w4xR1ocUcU8lzO2svjg/5SUF c1xeIZ94HS6cCYw6LuP6+1S2qUe8Epz61d5Dy/6NW1DtywQO92hRV4aloU/jp7ZAVNnO gR0M/GkOa7AyA2Ug2JpIhoTvqpNafsOCR3TSh42Yzoq1KtZHOj9l1ps1nABOVqN1p0U6 upF7rBucpGf3sRiRq5uleQCAb36zvFsV/4vcGJdvtMF7EHpNz19YnaqAO8JAFOYH5MjW mhJzuRoHIwhS7g6UQ74PNTdglASlHXjAIWFAgaiEPKj0gG9/kIce71qnEPBMUXwjmab+ eTSw== X-Forwarded-Encrypted: i=1; AFNElJ8gml/r1D4qvldmIUWCveJUcH4hnnHu0bKUViIfrr5xaSVlSaAzlpzA7Ur5mjjOFJEyX03FHQv0YLS622c=@vger.kernel.org X-Gm-Message-State: AOJu0Yxf5HJyc9O8KSqK1Y+/M14ZAnT2IBKablL6bRwq6C4SkZPPbxq0 znsETlbcTiY9it4e3+RA7lw8hmNLCH2RR6scmfyWmf2B7o+WuGNiYvts X-Gm-Gg: Acq92OHuZJH1PMTqC+gX6YKpOv/PQrUKJSRGrRtv8MFdar6/6Zk5NGEheZIQaVwEDd8 2eN0I5ykQsZ96zRGQhJo6fLtJRX0CQcAZXdVsEHxdNdEBKioXlvSetRfr2acdm+4E61KlvtSUXI NJovJwRWDlYJ/LGOy/0DoHolPyteDtRLrceX5cpe6QlzF5+E9XCyj4f1I7A5I18/jWonqNhiFPm tswHoRCkzit3lXDJ1Sj96x9jwT8f3Wc89hwdaDxj98ZUQSBkxvz0iTUzLK+A/AiI2PI66vq29E7 +oKV+bDYNK9/UrlR4XR722piuIyGSdB1LZcQTgfX2ZsVuAEbfqMkJ2ZvtBK/1GZSvYS5jIVEgwH nxrG4BIjxSNQLLFVY+ukBgETCZE3R1CN7deLRIo3X2g25LcpIPXWPnD5mhDT7aYIW+8HQi/NBtg vl3Djxz1Nf85ZZkc+DHpgIj+73obv1GG70HeWjRtdnAKbdpkcDeEh5HZU0DuLHDpZ0zlHKOBnh8 XU9NGywKXQseQnPqortQrICqvcL7HPquRN8FsABGKg= X-Received: by 2002:a05:622a:54a:b0:50b:37a6:e497 with SMTP id d75a77b69052e-5165a2c6a09mr217034241cf.44.1779115031155; Mon, 18 May 2026 07:37:11 -0700 (PDT) Received: from server0.tail6e7dd.ts.net (c-68-48-65-54.hsd1.mi.comcast.net. [68.48.65.54]) by smtp.gmail.com with ESMTPSA id 6a1803df08f44-8ca36095326sm57986926d6.14.2026.05.18.07.37.09 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 18 May 2026 07:37:10 -0700 (PDT) From: Michael Bommarito To: "Martin K . Petersen" , "James E . J . Bottomley" Cc: Nilesh Javali , Himanshu Madhani , Shyam Sundar , James Smart , Hannes Reinecke , John Meneghini , Bryan Gurney , Justin Tee , Christoph Hellwig , Keith Busch , Kees Cook , linux-scsi@vger.kernel.org, linux-nvme@lists.infradead.org, linux-hardening@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH v2] scsi: scsi_transport_fc: widen FPIN pname walker counter to u32 Date: Mon, 18 May 2026 10:37:06 -0400 Message-ID: <20260518143706.2808177-1-michael.bommarito@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260518140945.2751273-1-michael.bommarito@gmail.com> References: <20260518140945.2751273-1-michael.bommarito@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" drivers/scsi/scsi_transport_fc.c::fc_fpin_li_stats_update() and fc_fpin_peer_congn_stats_update() walked the on-wire pname_list[] with a u8 loop counter against the 32-bit __be32 pname_count field, and never bounded pname_count by the descriptor body the TLV walker already validated. A fabric-side FPIN sender (the elected fabric controller, a co-tenant N_Port that spoofs S_ID 0xFFFFFD after FLOGI, or a compromised switch supervisor) could hang the FC ELS receive thread of an lpfc or qla2xxx initiator indefinitely by emitting one FPIN ELS frame whose Link-Integrity or Peer-Congestion descriptor sets pname_count to 256, because the u8 counter rolls over and the loop condition i < pname_count stays true for every value i can take. Widen the loop counter to u32 in both walkers and clamp pname_count against the per-descriptor available bytes (desc_len minus the fixed body that precedes pname_list[]) before iterating. A malformed descriptor that claims more entries than its TLV body can hold is rejected by the clamp. Fixes: 3dcfe0de5a97 ("scsi: fc: Parse FPIN packets and update statistics") Cc: stable@vger.kernel.org Assisted-by: Claude:claude-opus-4-7 Signed-off-by: Michael Bommarito --- v2: drop the redundant cover letter shipped with v1. A single-patch send should not carry a cover; the lead belongs in the commit message, which the patch below already has. The v1 cover also carried stale drafting- time envelope markers that should have been stripped before send. Apologies for the noise; please ignore the v1 cover at https://lore.kernel.org/linux-hardening/20260518140945.2751273-1-michae= l.bommarito@gmail.com/ The patch hunks below are byte-identical to v1's 0001. drivers/scsi/scsi_transport_fc.c | 81 ++++++++++++++++++++------------ 1 file changed, 51 insertions(+), 30 deletions(-) diff --git a/drivers/scsi/scsi_transport_fc.c b/drivers/scsi/scsi_transport= _fc.c index dce95e361daf0..cef0c85693fd4 100644 --- a/drivers/scsi/scsi_transport_fc.c +++ b/drivers/scsi/scsi_transport_fc.c @@ -747,7 +747,7 @@ fc_cn_stats_update(u16 event_type, struct fc_fpin_stats= *stats) static void fc_fpin_li_stats_update(struct Scsi_Host *shost, struct fc_tlv_desc *tlv) { - u8 i; + u32 i, pname_count, max_count, desc_len; struct fc_rport *rport =3D NULL; struct fc_rport *attach_rport =3D NULL; struct fc_host_attrs *fc_host =3D shost_to_fc_host(shost); @@ -764,20 +764,34 @@ fc_fpin_li_stats_update(struct Scsi_Host *shost, stru= ct fc_tlv_desc *tlv) fc_li_stats_update(event_type, &attach_rport->fpin_stats); } =20 - if (be32_to_cpu(li_desc->pname_count) > 0) { - for (i =3D 0; - i < be32_to_cpu(li_desc->pname_count); - i++) { - wwpn =3D be64_to_cpu(li_desc->pname_list[i]); - rport =3D fc_find_rport_by_wwpn(shost, wwpn); - if (rport && - (rport->roles & FC_PORT_ROLE_FCP_TARGET || - rport->roles & FC_PORT_ROLE_NVME_TARGET)) { - if (rport =3D=3D attach_rport) - continue; - fc_li_stats_update(event_type, - &rport->fpin_stats); - } + /* + * Clamp pname_count to the number of pname_list entries + * the descriptor body can actually hold. desc_len + * excludes the desc_tag/desc_len header (FC_TLV_DESC_HDR_SZ), + * so the bytes available for pname_list[] are + * desc_len - sizeof(fixed fields before pname_list[]). + */ + pname_count =3D be32_to_cpu(li_desc->pname_count); + desc_len =3D be32_to_cpu(li_desc->desc_len); + if (desc_len < sizeof(*li_desc) - FC_TLV_DESC_HDR_SZ) + max_count =3D 0; + else + max_count =3D (desc_len - + (sizeof(*li_desc) - FC_TLV_DESC_HDR_SZ)) / + sizeof(li_desc->pname_list[0]); + if (pname_count > max_count) + pname_count =3D max_count; + + for (i =3D 0; i < pname_count; i++) { + wwpn =3D be64_to_cpu(li_desc->pname_list[i]); + rport =3D fc_find_rport_by_wwpn(shost, wwpn); + if (rport && + (rport->roles & FC_PORT_ROLE_FCP_TARGET || + rport->roles & FC_PORT_ROLE_NVME_TARGET)) { + if (rport =3D=3D attach_rport) + continue; + fc_li_stats_update(event_type, + &rport->fpin_stats); } } =20 @@ -827,7 +841,7 @@ static void fc_fpin_peer_congn_stats_update(struct Scsi_Host *shost, struct fc_tlv_desc *tlv) { - u8 i; + u32 i, pname_count, max_count, desc_len; struct fc_rport *rport =3D NULL; struct fc_rport *attach_rport =3D NULL; struct fc_fn_peer_congn_desc *pc_desc =3D @@ -844,20 +858,27 @@ fc_fpin_peer_congn_stats_update(struct Scsi_Host *sho= st, fc_cn_stats_update(event_type, &attach_rport->fpin_stats); } =20 - if (be32_to_cpu(pc_desc->pname_count) > 0) { - for (i =3D 0; - i < be32_to_cpu(pc_desc->pname_count); - i++) { - wwpn =3D be64_to_cpu(pc_desc->pname_list[i]); - rport =3D fc_find_rport_by_wwpn(shost, wwpn); - if (rport && - (rport->roles & FC_PORT_ROLE_FCP_TARGET || - rport->roles & FC_PORT_ROLE_NVME_TARGET)) { - if (rport =3D=3D attach_rport) - continue; - fc_cn_stats_update(event_type, - &rport->fpin_stats); - } + pname_count =3D be32_to_cpu(pc_desc->pname_count); + desc_len =3D be32_to_cpu(pc_desc->desc_len); + if (desc_len < sizeof(*pc_desc) - FC_TLV_DESC_HDR_SZ) + max_count =3D 0; + else + max_count =3D (desc_len - + (sizeof(*pc_desc) - FC_TLV_DESC_HDR_SZ)) / + sizeof(pc_desc->pname_list[0]); + if (pname_count > max_count) + pname_count =3D max_count; + + for (i =3D 0; i < pname_count; i++) { + wwpn =3D be64_to_cpu(pc_desc->pname_list[i]); + rport =3D fc_find_rport_by_wwpn(shost, wwpn); + if (rport && + (rport->roles & FC_PORT_ROLE_FCP_TARGET || + rport->roles & FC_PORT_ROLE_NVME_TARGET)) { + if (rport =3D=3D attach_rport) + continue; + fc_cn_stats_update(event_type, + &rport->fpin_stats); } } } --=20 2.53.0