From nobody Sun May 24 23:29:00 2026 Received: from mail-qv1-f42.google.com (mail-qv1-f42.google.com [209.85.219.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7ACBC29B8D0 for ; Wed, 20 May 2026 13:30:33 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.219.42 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779283836; cv=none; b=PkdEwRTvupOFxX1vVqpb9C1JrW3FyEfg34Tp1SEYQwG1t4n3CfXddq4Y7Ad6U44hjZClJ+3YWUFaTvJ+Ob7RsSp1+wF43Q7CYOaMQklSkOBAbZTEXOlrqZ5VTP6xf/1e9M1miksjxe27xrM56n2yZsiEKi3Ivixx6/S8/XjQes4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779283836; c=relaxed/simple; bh=81dImCBjpgJ9s4r5i5sIJwiSPnwM1ab60Dzuzfby04c=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=I91O9kdMC3P1mRvdgLMpGcz+fscVQjYGNRgcIa9TDeKmpo5GGtIqqKY2Dkye7FXqy//zd2rOEpEJkGw3HQljr7U9CobZUQ64IIJhau9lPAki9Pdyp9m2JaZ4BHi3k3ubmpWqeAIZbI8UKFiuKSfZMTr82B899f/NHKNbjJcckp0= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=FOpYCRup; arc=none smtp.client-ip=209.85.219.42 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="FOpYCRup" Received: by mail-qv1-f42.google.com with SMTP id 6a1803df08f44-8c7154725easo60027486d6.0 for ; Wed, 20 May 2026 06:30:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1779283831; x=1779888631; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=RfxhCV7FuEx6FN3Ph695dMdjOoXCIAnanxO/gTjt8nU=; b=FOpYCRuprODo33/HyCjs8joQnos+gJQaUW6l4A7Ej35E9OtHm5kCkFjzHchy4Clsta dYPQkWUwruc2TgKdD4VOpwFmpHm9RpelzTCb11FPS0WAKR8J7B9QMz0VnP+5dsRCBJri Gew4AknisCfYMmrKEIctDlRcPz6o/K5W1vzNNq00PYg3aUd3xj49Pty9wq2OtY/h30cU I1yTYGpzJnA/XzMka68sCqlYZkqE0uFYi7gxejMr38vL4RMMATou0iAphOLlZfVDoijQ luWBEQQnPVa5bHr4X9xDxU4mMyEIPoBXmrKu0tGKEVc8KZV4N8gVM4Ub69YDqr09dj0c WygQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779283831; x=1779888631; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=RfxhCV7FuEx6FN3Ph695dMdjOoXCIAnanxO/gTjt8nU=; b=e92Q+Tj+5PufJ0Rm154wcChN6NLvd5M+uyyfKQ7nZk37A9tcQYVdexMRj7S6cdZ5RT 4vWouEltpwkCzTQrAKJRetZ8ByFhh6sk/hiJEHItDzbPG7811bZjyG1F4+ZTNQ6BHdxv vvFuJus7IMwSOeE/koixY3xWyhCngbVJgBC3YZY7Q0Rg7Vu5ZaytgYCHJHH41zH7f2ON uGUiQvL4usGPj9pF6eeKUaAZm7nPFtoIQLL8SagTp77BfUvuGNdPqEsR4BDwEpT5q47q X1BkM6d5OXx9CrkxesHM884ETS3GBoEPRrcvQpuhtdLJR0MczpcHyl8LQoNr3LGXnpEY NaVw== X-Forwarded-Encrypted: i=1; AFNElJ8mI0KZHOpdAfdmXlg13zl1g9Mri/0tWKIDXkr/xIgLlB7IZkatxXDKe6l2qDF7cFqIrEheeH6IriIuTMg=@vger.kernel.org X-Gm-Message-State: AOJu0YwhmCjx8rc2XTpO+IPRHvOhmT8EXCREz1oW4nhIUS82o9r1EBDd p//5vcl9z1eTOL4liNssEpi7iuyBKTYncjUlA622jSNC1BFvpPldBnIS X-Gm-Gg: Acq92OG24mTj6jWIqFVfncl0QlXzt11KYNCdZZFIk7KEyxln+ftjXDkDmLBbcBa9hic 0wtZgoCff7pmCR9MWLkHmjC380r/SuFsw5dVag+iWvr1CJUlYih/3gMqeFkGsW1zr6LkxvLLcvx rRiX1rUzzYlQwkvjnT9UNwUWzzyDuvmnzXc3M90lZ8uZhvqaXrsrA7+iw+jF/NDz7kP0SqsvVLS z3hF3ApwUiX/oFHvdrzfjvOhYiN2BjitQx90dMivR6I3cEU+qD25tMY9iL8Scp2Z5w6v9QvcOIl y5gZxaZNAqhzGcNgpm/PUH0fiaCJ0vMRowu6LWQb4ylwR3NrC0AxAV/pwkCCX12D1JTqxCVvNQH yLC3g9tw9hL8bcZTF4w3sHTBRb+sGHV38SOn7+fn7kZZ1i1b+Isq8ffu2kG08rNGExrUSAuNSgy Jrx0HCb3JB/I89byxa2WcHNRb2WGQAOiNBEf2JJ315+7qj3DVvOqGF5Q9VXCSV41W80O/rCPSEi jyHcIOrHK70q4aMPGQJ X-Received: by 2002:a05:6214:5548:b0:8ac:a546:7753 with SMTP id 6a1803df08f44-8ca0f601c85mr373645396d6.8.1779283831333; Wed, 20 May 2026 06:30:31 -0700 (PDT) Received: from server0 (c-68-48-65-54.hsd1.mi.comcast.net. [68.48.65.54]) by smtp.gmail.com with ESMTPSA id 6a1803df08f44-8ca36190497sm121635816d6.29.2026.05.20.06.30.29 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 20 May 2026 06:30:30 -0700 (PDT) From: Michael Bommarito To: "Martin K. Petersen" , "James E.J. Bottomley" Cc: Nilesh Javali , Himanshu Madhani , Shyam Sundar , James Smart , Hannes Reinecke , John Meneghini , Bryan Gurney , Justin Tee , Christoph Hellwig , David Laight , Keith Busch , Kees Cook , linux-scsi@vger.kernel.org, linux-nvme@lists.infradead.org, linux-hardening@vger.kernel.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org Subject: [PATCH v4] scsi: scsi_transport_fc: widen FPIN pname walker counter to u32 Date: Wed, 20 May 2026 09:30:15 -0400 Message-ID: <20260520133015.1018937-1-michael.bommarito@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260519190615.2761667-1-michael.bommarito@gmail.com> References: <20260519190615.2761667-1-michael.bommarito@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" An adjacent Fibre Channel fabric actor that can deliver an FPIN ELS frame to an lpfc or qla2xxx Linux initiator can trigger a non-return in the generic FC transport. This is not a local userspace or IP network path; the attacker must be able to inject fabric traffic, for example as a compromised switch or fabric controller, or as a same-zone N_Port on a fabric that permits source spoofing. The Link-Integrity and Peer-Congestion FPIN walkers used a u8 loop counter against the 32-bit on-wire pname_count field, and did not bound pname_count by the descriptor body already validated by the TLV walker. A pname_count of 256 therefore wraps the counter and keeps the loop condition true indefinitely. Factor the shared pname_list[] walk into one helper, widen the counter to u32, and clamp pname_count against the entries that fit in the descriptor body before iterating. Fixes: 3dcfe0de5a97 ("scsi: fc: Parse FPIN packets and update statistics") Cc: stable@vger.kernel.org Assisted-by: Claude:claude-opus-4-7 Signed-off-by: Michael Bommarito Reviewed-by: Christoph Hellwig Reviewed-by: John Garry --- Changes in v4: - Use min() rather than min_t(u32, ...) for the pname_count clamp and fold away the temporary max_count variable, as David Laight suggested. Changes in v3: - State the fabric-adjacent threat model explicitly in the commit message and clarify that this is not local userspace or IP-network reachable. - Use min_t(u32, ...) for the pname_count clamp, as Christoph suggested. - Use FC_TLV_DESC_LENGTH_FROM_SZ() instead of open-coding the descriptor body length calculation. - Factor the duplicate LI and peer-congestion pname walker into a common helper while preserving the LI-only host-stat update. Changes in v2: - Drop the redundant cover letter shipped with v1. A single-patch send does not need one, and the v1 cover carried stale draft markers. drivers/scsi/scsi_transport_fc.c | 77 +++++++++++++++++--------------- 1 file changed, 41 insertions(+), 36 deletions(-) diff --git a/drivers/scsi/scsi_transport_fc.c b/drivers/scsi/scsi_transport= _fc.c index dce95e361daf0..173ed6373f04b 100644 --- a/drivers/scsi/scsi_transport_fc.c +++ b/drivers/scsi/scsi_transport_fc.c @@ -737,6 +737,37 @@ fc_cn_stats_update(u16 event_type, struct fc_fpin_stat= s *stats) } } =20 +static void +fc_fpin_pname_stats_update(struct Scsi_Host *shost, + struct fc_rport *attach_rport, u16 event_type, + u32 desc_len, u32 fixed_len, u32 pname_count, + __be64 *pname_list, + void (*stats_update)(u16 event_type, + struct fc_fpin_stats *stats)) +{ + u32 i; + struct fc_rport *rport; + u64 wwpn; + + if (desc_len < fixed_len) + pname_count =3D 0; + else + pname_count =3D min(pname_count, (desc_len - fixed_len) / + sizeof(pname_list[0])); + + for (i =3D 0; i < pname_count; i++) { + wwpn =3D be64_to_cpu(pname_list[i]); + rport =3D fc_find_rport_by_wwpn(shost, wwpn); + if (rport && + (rport->roles & FC_PORT_ROLE_FCP_TARGET || + rport->roles & FC_PORT_ROLE_NVME_TARGET)) { + if (rport =3D=3D attach_rport) + continue; + stats_update(event_type, &rport->fpin_stats); + } + } +} + /* * fc_fpin_li_stats_update - routine to update Link Integrity * event statistics. @@ -747,13 +778,11 @@ fc_cn_stats_update(u16 event_type, struct fc_fpin_sta= ts *stats) static void fc_fpin_li_stats_update(struct Scsi_Host *shost, struct fc_tlv_desc *tlv) { - u8 i; struct fc_rport *rport =3D NULL; struct fc_rport *attach_rport =3D NULL; struct fc_host_attrs *fc_host =3D shost_to_fc_host(shost); struct fc_fn_li_desc *li_desc =3D (struct fc_fn_li_desc *)tlv; u16 event_type =3D be16_to_cpu(li_desc->event_type); - u64 wwpn; =20 rport =3D fc_find_rport_by_wwpn(shost, be64_to_cpu(li_desc->attached_wwpn)); @@ -764,22 +793,11 @@ fc_fpin_li_stats_update(struct Scsi_Host *shost, stru= ct fc_tlv_desc *tlv) fc_li_stats_update(event_type, &attach_rport->fpin_stats); } =20 - if (be32_to_cpu(li_desc->pname_count) > 0) { - for (i =3D 0; - i < be32_to_cpu(li_desc->pname_count); - i++) { - wwpn =3D be64_to_cpu(li_desc->pname_list[i]); - rport =3D fc_find_rport_by_wwpn(shost, wwpn); - if (rport && - (rport->roles & FC_PORT_ROLE_FCP_TARGET || - rport->roles & FC_PORT_ROLE_NVME_TARGET)) { - if (rport =3D=3D attach_rport) - continue; - fc_li_stats_update(event_type, - &rport->fpin_stats); - } - } - } + fc_fpin_pname_stats_update(shost, attach_rport, event_type, + be32_to_cpu(li_desc->desc_len), + FC_TLV_DESC_LENGTH_FROM_SZ(*li_desc), + be32_to_cpu(li_desc->pname_count), + li_desc->pname_list, fc_li_stats_update); =20 if (fc_host->port_name =3D=3D be64_to_cpu(li_desc->attached_wwpn)) fc_li_stats_update(event_type, &fc_host->fpin_stats); @@ -827,13 +845,11 @@ static void fc_fpin_peer_congn_stats_update(struct Scsi_Host *shost, struct fc_tlv_desc *tlv) { - u8 i; struct fc_rport *rport =3D NULL; struct fc_rport *attach_rport =3D NULL; struct fc_fn_peer_congn_desc *pc_desc =3D (struct fc_fn_peer_congn_desc *)tlv; u16 event_type =3D be16_to_cpu(pc_desc->event_type); - u64 wwpn; =20 rport =3D fc_find_rport_by_wwpn(shost, be64_to_cpu(pc_desc->attached_wwpn)); @@ -844,22 +860,11 @@ fc_fpin_peer_congn_stats_update(struct Scsi_Host *sho= st, fc_cn_stats_update(event_type, &attach_rport->fpin_stats); } =20 - if (be32_to_cpu(pc_desc->pname_count) > 0) { - for (i =3D 0; - i < be32_to_cpu(pc_desc->pname_count); - i++) { - wwpn =3D be64_to_cpu(pc_desc->pname_list[i]); - rport =3D fc_find_rport_by_wwpn(shost, wwpn); - if (rport && - (rport->roles & FC_PORT_ROLE_FCP_TARGET || - rport->roles & FC_PORT_ROLE_NVME_TARGET)) { - if (rport =3D=3D attach_rport) - continue; - fc_cn_stats_update(event_type, - &rport->fpin_stats); - } - } - } + fc_fpin_pname_stats_update(shost, attach_rport, event_type, + be32_to_cpu(pc_desc->desc_len), + FC_TLV_DESC_LENGTH_FROM_SZ(*pc_desc), + be32_to_cpu(pc_desc->pname_count), + pc_desc->pname_list, fc_cn_stats_update); } =20 /* --=20 2.53.0