From nobody Mon Jun 8 20:42:41 2026 Received: from mail-lf1-f74.google.com (mail-lf1-f74.google.com [209.85.167.74]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 24E9F3FF1AB for ; Tue, 26 May 2026 14:29:50 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.167.74 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779805791; cv=none; b=S4ubiV8DCR+GFyGt3q5unZTPxV/Et4XlgD7dWUfPOaulc0gJQhd6GvQP3XkVZw1TP+DBiyMv0dhg7gE/HX0sE6DJc5g71Z3Rns3nCBtfuLF9kIthcMLMhJXKVolh7cq/ThFZCvFgBAVIFzoITjs7LlNNatumB0UdJPXiQEfaaY0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779805791; c=relaxed/simple; bh=2DSBhxHo6ohfJ1agRy9QlK58xQlyhvZcVHLLoZrDDSA=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=i/Z7fgLgHNwwxThue/rG+uAYeeyRWEi3C3AovKTFQxM4P3QqD7xACO8VuadhkkK36OzXsdL5UIgKNarQFFOrMuzyxsIoe5sWXB2BoKY91Mxi7hAMFZoQSRxElU/kN+IurRNpFThdsMKsFUmcGBG7dbGBxv85dCixiYJR2wINt5g= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--rnj.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=UNlHhNZz; arc=none smtp.client-ip=209.85.167.74 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--rnj.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="UNlHhNZz" Received: by mail-lf1-f74.google.com with SMTP id 2adb3069b0e04-5a87191503bso6911474e87.2 for ; Tue, 26 May 2026 07:29:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20251104; t=1779805788; x=1780410588; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=T4UbM0pmtE8rclzkFOKgkg1jhZu8iQJeEXlQMwnCTfg=; b=UNlHhNZzBBa10yuCt0vtf+E2Z1M2KUXZnXGV9948d0Mvy6yxPklHi8/ZswzbNKJxug nH7y6kYASt+A2XAkjjCKWdgROqL89tnoEGqoy4ZYa/6avSb/xdHNC96dQaxd78qMdd9L 5lxfRCHqN+rtxknPpXUFhfwgKNRfyDkf2zhdZOPZpQHFGVuU+xg41KEK5cIni0igi+y7 kQ9U2It7z7kjYqoxVaeW9No6TsTVHTN+AN5x6skQ3FedC2Gf3kWOxAVd0B46yLfSrGo/ 8uQHBEshlqOOJZ6dWcpRX4TJFkDERgykuLrfyWhwq2qQvDVTf8gLrKNbvHl1ztzWgxGB X2gw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779805788; x=1780410588; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=T4UbM0pmtE8rclzkFOKgkg1jhZu8iQJeEXlQMwnCTfg=; b=UbGeirzPBXOOEe1X7MzAVxE7IMv3MiXznn9CgwmqVQnauNBgNL7xBLfr06QymaaRAL Axpnl+r3HqQ2C53ph8IUwc7mYFrA/8RluXw24vL4a7A1em097/NrITm7+lrIB1MK5rPo MFrX4lr2le81OSa+4xV4QdKrSuYdu3Akqq7CfqXx2YjOEjM6uQxLutAcyVrd/8s6BaJU 3lD00VHRjFJXnAz0OlpjUpv6cHigy3p+gcI7KeXewVhiYPT6o9BhF1Lj4P1dn8BcYHzq Zh9jypSU/B2NMRNs9huTwy1C8WQ3Ev1rHrNAjJQ4pVWjkKmhxtCODHw5VgMYC3roFAKd f5Fg== X-Forwarded-Encrypted: i=1; AFNElJ8pLyVCMWwsHXiyErIhaQOEXu9rYw8fNt05RO9kVMVgS+qF5qVt0GQ1XlMb2S7PmZDZ1zVaBNi9riG7PQg=@vger.kernel.org X-Gm-Message-State: AOJu0YxTxA9e9hYvxcM77sEkY/e5jTq59khWsbqEwLf4/UFSdMGo7+Q5 4Jxa1IrGHvChWllKj4r6mSMBIw3XCtWzoxCfXKrzW2ANOKLsWJZinK0EV+0NM9/i56pRrg== X-Received: from ljxb4.prod.google.com ([2002:a05:651c:a084:b0:394:4549:7323]) (user=rnj job=prod-delivery.src-stubby-dispatcher) by 2002:a05:6512:3408:b0:5a8:74ac:cf7e with SMTP id 2adb3069b0e04-5aa32373293mr6233942e87.24.1779805787628; Tue, 26 May 2026 07:29:47 -0700 (PDT) Date: Tue, 26 May 2026 14:29:43 +0000 In-Reply-To: <20260526-fortify_pm80-v2-0-359b743eb97a@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20260526-fortify_pm80-v2-0-359b743eb97a@google.com> X-Developer-Key: i=rnj@google.com; a=ed25519; pk=QwUkB1OONd7dk9zV4pLRQRehoWHHsLcRZD2QcswqHTc= X-Developer-Signature: v=1; a=ed25519-sha256; t=1779805783; l=6025; i=rnj@google.com; s=20260515; h=from:subject:message-id; bh=2DSBhxHo6ohfJ1agRy9QlK58xQlyhvZcVHLLoZrDDSA=; b=+ZHcfB7RAQSUDax4PveJEUhJ1V0FJhzw7Zh6xd4eb16O4bW8krB3GpHqXsskdwZoq3V1ik+4i 9FPpMC3GSBFCEiizrxOlbEyREmhozxQg0sXAD43pHOBjfPETgC/n7KX X-Mailer: b4 0.14.3 Message-ID: <20260526-fortify_pm80-v2-1-359b743eb97a@google.com> Subject: [PATCH v2 1/2] scsi: libsas: Define sas_identify_frame_local via struct_group From: Ronja Meyer To: Jack Wang , "James E.J. Bottomley" , "Martin K. Petersen" , Tom Peng , Kevin Ao , Lindar Liu , James Bottomley Cc: jack wang , linux-scsi@vger.kernel.org, linux-kernel@vger.kernel.org, Ronja Meyer , stable@vger.kernel.org Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable The pm80 drivers both need a variant of the sas_identify_frame struct without the CRC struct member. The pm80xx driver previously duplicated the struct, omitting this field, to sas_identify_frame_local in: commit 5990fd57ebea ("scsi: pm80xx: redefine sas_identify_frame structure") The pm8001 driver also needs the _local variant. Instead of duplicating the struct again, let's define it as a struct group inside the main sas_identify_frame struct and remove the duplicate in the pm80xx driver. Sending to stable, as this change is required for the fortify-panic fix later in this chain to apply cleanly. Cc: stable@vger.kernel.org Fixes: dbf9bfe61571 ("[SCSI] pm8001: add SAS/SATA HBA driver") Signed-off-by: Ronja Meyer --- drivers/scsi/pm8001/pm80xx_hwi.h | 96 -------------------------- include/scsi/sas.h | 144 ++++++++++++++++++++---------------= ---- 2 files changed, 74 insertions(+), 166 deletions(-) diff --git a/drivers/scsi/pm8001/pm80xx_hwi.h b/drivers/scsi/pm8001/pm80xx_= hwi.h index d8a63b7fed6a..2fa54b901a2e 100644 --- a/drivers/scsi/pm8001/pm80xx_hwi.h +++ b/drivers/scsi/pm8001/pm80xx_hwi.h @@ -236,102 +236,6 @@ /* Port recovery timeout, 10000 ms for PM8006 controller */ #define CHIP_8006_PORT_RECOVERY_TIMEOUT 0x640000 =20 -#ifdef __LITTLE_ENDIAN_BITFIELD -struct sas_identify_frame_local { - /* Byte 0 */ - u8 frame_type:4; - u8 dev_type:3; - u8 _un0:1; - - /* Byte 1 */ - u8 _un1; - - /* Byte 2 */ - union { - struct { - u8 _un20:1; - u8 smp_iport:1; - u8 stp_iport:1; - u8 ssp_iport:1; - u8 _un247:4; - }; - u8 initiator_bits; - }; - - /* Byte 3 */ - union { - struct { - u8 _un30:1; - u8 smp_tport:1; - u8 stp_tport:1; - u8 ssp_tport:1; - u8 _un347:4; - }; - u8 target_bits; - }; - - /* Byte 4 - 11 */ - u8 _un4_11[8]; - - /* Byte 12 - 19 */ - u8 sas_addr[SAS_ADDR_SIZE]; - - /* Byte 20 */ - u8 phy_id; - - u8 _un21_27[7]; - -} __packed; - -#elif defined(__BIG_ENDIAN_BITFIELD) -struct sas_identify_frame_local { - /* Byte 0 */ - u8 _un0:1; - u8 dev_type:3; - u8 frame_type:4; - - /* Byte 1 */ - u8 _un1; - - /* Byte 2 */ - union { - struct { - u8 _un247:4; - u8 ssp_iport:1; - u8 stp_iport:1; - u8 smp_iport:1; - u8 _un20:1; - }; - u8 initiator_bits; - }; - - /* Byte 3 */ - union { - struct { - u8 _un347:4; - u8 ssp_tport:1; - u8 stp_tport:1; - u8 smp_tport:1; - u8 _un30:1; - }; - u8 target_bits; - }; - - /* Byte 4 - 11 */ - u8 _un4_11[8]; - - /* Byte 12 - 19 */ - u8 sas_addr[SAS_ADDR_SIZE]; - - /* Byte 20 */ - u8 phy_id; - - u8 _un21_27[7]; -} __packed; -#else -#error "Bitfield order not defined!" -#endif - struct mpi_msg_hdr { __le32 header; /* Bits [11:0] - Message operation code */ /* Bits [15:12] - Message Category */ diff --git a/include/scsi/sas.h b/include/scsi/sas.h index 71b749bed3b0..90f3081a3270 100644 --- a/include/scsi/sas.h +++ b/include/scsi/sas.h @@ -252,48 +252,50 @@ struct host_to_dev_fis { */ #ifdef __LITTLE_ENDIAN_BITFIELD struct sas_identify_frame { - /* Byte 0 */ - u8 frame_type:4; - u8 dev_type:3; - u8 _un0:1; - - /* Byte 1 */ - u8 _un1; - - /* Byte 2 */ - union { - struct { - u8 _un20:1; - u8 smp_iport:1; - u8 stp_iport:1; - u8 ssp_iport:1; - u8 _un247:4; + __struct_group(sas_identify_frame_local, payload, __packed, + /* Byte 0 */ + u8 frame_type:4; + u8 dev_type:3; + u8 _un0:1; + + /* Byte 1 */ + u8 _un1; + + /* Byte 2 */ + union { + struct { + u8 _un20:1; + u8 smp_iport:1; + u8 stp_iport:1; + u8 ssp_iport:1; + u8 _un247:4; + }; + u8 initiator_bits; }; - u8 initiator_bits; - }; =20 - /* Byte 3 */ - union { - struct { - u8 _un30:1; - u8 smp_tport:1; - u8 stp_tport:1; - u8 ssp_tport:1; - u8 _un347:4; + /* Byte 3 */ + union { + struct { + u8 _un30:1; + u8 smp_tport:1; + u8 stp_tport:1; + u8 ssp_tport:1; + u8 _un347:4; + }; + u8 target_bits; }; - u8 target_bits; - }; =20 - /* Byte 4 - 11 */ - u8 _un4_11[8]; + /* Byte 4 - 11 */ + u8 _un4_11[8]; =20 - /* Byte 12 - 19 */ - u8 sas_addr[SAS_ADDR_SIZE]; + /* Byte 12 - 19 */ + u8 sas_addr[SAS_ADDR_SIZE]; =20 - /* Byte 20 */ - u8 phy_id; + /* Byte 20 */ + u8 phy_id; =20 - u8 _un21_27[7]; + u8 _un21_27[7]; + ); =20 __be32 crc; } __attribute__ ((packed)); @@ -473,48 +475,50 @@ struct report_phy_sata_resp { =20 #elif defined(__BIG_ENDIAN_BITFIELD) struct sas_identify_frame { - /* Byte 0 */ - u8 _un0:1; - u8 dev_type:3; - u8 frame_type:4; - - /* Byte 1 */ - u8 _un1; - - /* Byte 2 */ - union { - struct { - u8 _un247:4; - u8 ssp_iport:1; - u8 stp_iport:1; - u8 smp_iport:1; - u8 _un20:1; + __struct_group(sas_identify_frame_local, payload, __packed, + /* Byte 0 */ + u8 _un0:1; + u8 dev_type:3; + u8 frame_type:4; + + /* Byte 1 */ + u8 _un1; + + /* Byte 2 */ + union { + struct { + u8 _un247:4; + u8 ssp_iport:1; + u8 stp_iport:1; + u8 smp_iport:1; + u8 _un20:1; + }; + u8 initiator_bits; }; - u8 initiator_bits; - }; =20 - /* Byte 3 */ - union { - struct { - u8 _un347:4; - u8 ssp_tport:1; - u8 stp_tport:1; - u8 smp_tport:1; - u8 _un30:1; + /* Byte 3 */ + union { + struct { + u8 _un347:4; + u8 ssp_tport:1; + u8 stp_tport:1; + u8 smp_tport:1; + u8 _un30:1; + }; + u8 target_bits; }; - u8 target_bits; - }; =20 - /* Byte 4 - 11 */ - u8 _un4_11[8]; + /* Byte 4 - 11 */ + u8 _un4_11[8]; =20 - /* Byte 12 - 19 */ - u8 sas_addr[SAS_ADDR_SIZE]; + /* Byte 12 - 19 */ + u8 sas_addr[SAS_ADDR_SIZE]; =20 - /* Byte 20 */ - u8 phy_id; + /* Byte 20 */ + u8 phy_id; =20 - u8 _un21_27[7]; + u8 _un21_27[7]; + ); =20 __be32 crc; } __attribute__ ((packed)); --=20 2.54.0.746.g67dd491aae-goog From nobody Mon Jun 8 20:42:41 2026 Received: from mail-lj1-f202.google.com (mail-lj1-f202.google.com [209.85.208.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 73AE4400E0B for ; Tue, 26 May 2026 14:29:51 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.208.202 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779805793; cv=none; b=k2ERdMuWgduUa3S2GbhA5uGgo0Lx/Sva94hREopGfvCnqTsbTQo2H4B8YtwoJiL85dfZ8bTwb/5ec6acFAajbwzQP5xBt7k9YMaYlWwNwrNYI+mi2RVn1d7LUR0hchdgCDCTlzbS7NN9eLLh3MkQlWsli8tPaJKHHrxdc0Uv6cI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779805793; c=relaxed/simple; bh=lM1U7NDEVUxoUgjU6ZWJkKgeycM4+CYRnq2yIpcFeSY=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=G6MoUkglBKEplNJHeWW+9hyQdov4Fv+iMliEXvUbdeP7E+CYpRrCdOLalC45xkp088/lYi/9FihqIEllQBjQ7zfzS0EZ1XlJeRZXRjaWBfKlKViax1Gtc8Qg7VeLLrdy0jecgy+8p22PLYyNYl8qF8VtNNfcnTfKaw9bNonEGCg= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--rnj.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=RPKSAeJn; arc=none smtp.client-ip=209.85.208.202 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--rnj.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="RPKSAeJn" Received: by mail-lj1-f202.google.com with SMTP id 38308e7fff4ca-3938ada9f32so45361441fa.1 for ; Tue, 26 May 2026 07:29:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20251104; t=1779805789; x=1780410589; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=T7NFUbUyx8UkNyIRhDm6VYLpxHnlnNi3FgbihS8m/SI=; b=RPKSAeJnx116GU7Y1GhKSPTWtOhcL3MqxYUNhe7vB/RUxuUYE6XgdtNqVhaB94AfB0 Vf2ACDHEEq1o8e2TWoTX9zDNBdOxco6RMtHlh0f7+IgF8BD2r88I/3HoNCddPzWFZ4ml 5U2uqffZSmByWhqzp3re4h3ucwm9P3xvjMpRDoTJkiy0tRiWb5OINIbblebtxO5h2jge 1+SUTaDVmA72UAmS9J1WKOFR/JpvGnyoA3xYigueiKOMzIh6emldqNmqVXyPQjYBt7dS FXDH+JNBBCu2RBvZSRIQ3WM4JUxSAxUn7w7ySfwMhLSnU+eWIYuJLSQo2bHvthcKO18q Ia+Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779805789; x=1780410589; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=T7NFUbUyx8UkNyIRhDm6VYLpxHnlnNi3FgbihS8m/SI=; b=GoVcEMNLCgTOawlrt+A5qHW4BEbl9HF7MknxEJZHT/adqYaz2fYoKpPdYMHVzvhwzT B5GgwWXEan3xymeG2uVghd5m9zgGH8mea6rAwfihRcTJTolb/iHZcHX78gaR2XOP/awr evvTzYoNaIwbIbOdzmIVtn0XH6Y19flZkwHDJ3MLYtMc6AuJOlI5haQSTRergBHRFLp1 moHDto4WAxxh3ghjJ2u7StQw/pCjyknmqlL0OqTwSgOXbwRAnt4ic6Wf2f/x2HzP8YjU N9Lzo0dqdQngtSjp7m1hqhIOy9pX29rjo5d66jbQs4ZpjQD0b8rOvNitU+wo6zhIXwsQ 1VHA== X-Forwarded-Encrypted: i=1; AFNElJ8f6Rv28AwPWvvqj5wDf/fOQ9mDBjmgyQ0fIopoHxqQk5hdmcnfZzO28usnT6dg4TqUn9ijX1lhTGuEe9M=@vger.kernel.org X-Gm-Message-State: AOJu0YwGRX+Vxl0F4ecx7fXH2ggHWGVySdSxAdJf0aW5JbG3AX0+XVyv ynOdX60/IbtXul3HQfzgiUw3nIWSfDj38HL6nbkRWYtkouTlTab7zMiGRAdRTunLp6hTGA== X-Received: from ljck14-n2.prod.google.com ([2002:a05:651c:20ce:20b0:391:fcf:3171]) (user=rnj job=prod-delivery.src-stubby-dispatcher) by 2002:a05:651c:1586:b0:38e:d18:4d0 with SMTP id 38308e7fff4ca-395d89263f9mr65278791fa.13.1779805789321; Tue, 26 May 2026 07:29:49 -0700 (PDT) Date: Tue, 26 May 2026 14:29:44 +0000 In-Reply-To: <20260526-fortify_pm80-v2-0-359b743eb97a@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20260526-fortify_pm80-v2-0-359b743eb97a@google.com> X-Developer-Key: i=rnj@google.com; a=ed25519; pk=QwUkB1OONd7dk9zV4pLRQRehoWHHsLcRZD2QcswqHTc= X-Developer-Signature: v=1; a=ed25519-sha256; t=1779805783; l=7499; i=rnj@google.com; s=20260515; h=from:subject:message-id; bh=lM1U7NDEVUxoUgjU6ZWJkKgeycM4+CYRnq2yIpcFeSY=; b=2Et7omVZmBjmwAvTpoLHGUFGqqG6SLNqHQoDNbruaHSNZV6PG65wYj0KGkKd3zBXzeWJA53nc QsKs9n8EDG2C1rZZqafXnOhjXLEKSvTzOyKOtZeM6r3aq4wN6cximWr X-Mailer: b4 0.14.3 Message-ID: <20260526-fortify_pm80-v2-2-359b743eb97a@google.com> Subject: [PATCH v2 2/2] scsi: pm8001: Match hw_event_resp to HBA data layout From: Ronja Meyer To: Jack Wang , "James E.J. Bottomley" , "Martin K. Petersen" , Tom Peng , Kevin Ao , Lindar Liu , James Bottomley Cc: jack wang , linux-scsi@vger.kernel.org, linux-kernel@vger.kernel.org, Ronja Meyer , stable@vger.kernel.org, Igor Pylypiv Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Correct the hw_event_resp and phy_start_req struct definitions to match the layout of data sent by the HBA. Remove pointer arithmetics working around the previously incorrect struct definitions. Looking at the struct definition before this patch: struct hw_event_resp { [...] struct sas_identify_frame sas_identify; struct dev_to_host_fis sata_fis; } __attribute__((packed, aligned(4))); Previously the memcpy() in hw_event_sata_phy_up() crossed reading from the sas_identify struct over into the sata_fis struct. This was necessary, because the hw_event_resp struct definition didn't align properly with what the HBA actually sent. The member sas_identify right before the member sata_fis was 4 bytes too long, causing the first 4 bytes of the sata_fis to be shifted into the last 4 bytes of sas_identify. The code worked around this by subtracting 4 bytes from both the sata_fis pointer, as well as sizeof(sas_identify), when they were used. FORTIFY_SOURCE detected this deliberate choice to cross struct member boundaries as an out-of-bounds read, even though in this case it didn't lead to a vulnerability. Hence the following fortify-panic was triggered: kernel BUG at lib/string_helpers.c:1044! RIP: 0010:__fortify_panic+0x9/0x10 hw_event_sata_phy_up+0xea/0x120 [pm80xx] process_one_iomb+0x634e/0x6360 [pm80xx] process_oq+0x391/0x430 [pm80xx] pm80xx_chip_isr+0x78/0x100 [pm80xx] tasklet_action_common+0x16a/0x2b0 handle_softirqs+0xcd/0x2a0 __irq_exit_rcu+0x50/0x100 common_interrupt+0x89/0xa0 Furthermore hw_event_resp was 64 bytes before this patch, which is 4 bytes too long. Messages exchanged between the pm8001 and the host kernel can be a maximum of 64 bytes, as defined in iomb_size. The message structs defined in pm8001_hwi.h must have a size of 60 bytes, in order to leave space for a 4 byte header that implicitly precedes each message. Luckily the code interacting with hw_event_resp doesn't ever seem to read or write the last 4 bytes of the struct and doesn't seem to use the incorrect size of the struct in a copy operation. Hence it doesn't overflow in practice. Further the pm80xx driver was unaffected by this bug. While the pm80xx struct was also 64 bytes, the message size on pm80xx is 128 bytes. Hence it is able to fit the 68 byte header and message without overflowing. This is not security critical AFAICT. Cc: stable@vger.kernel.org Fixes: dbf9bfe61571 ("[SCSI] pm8001: add SAS/SATA HBA driver") Co-developed-by: Igor Pylypiv Signed-off-by: Igor Pylypiv Signed-off-by: Ronja Meyer --- drivers/scsi/pm8001/pm8001_hwi.c | 6 +++--- drivers/scsi/pm8001/pm8001_hwi.h | 6 +++--- drivers/scsi/pm8001/pm80xx_hwi.c | 6 +++--- drivers/scsi/pm8001/pm80xx_hwi.h | 4 ++-- 4 files changed, 11 insertions(+), 11 deletions(-) diff --git a/drivers/scsi/pm8001/pm8001_hwi.c b/drivers/scsi/pm8001/pm8001_= hwi.c index fff8d877abb9..e90f2d98d8ed 100644 --- a/drivers/scsi/pm8001/pm8001_hwi.c +++ b/drivers/scsi/pm8001/pm8001_hwi.c @@ -3164,8 +3164,8 @@ hw_event_sas_phy_up(struct pm8001_hba_info *pm8001_ha= , void *piomb) sas_notify_phy_event(&phy->sas_phy, PHYE_OOB_DONE, GFP_ATOMIC); spin_lock_irqsave(&phy->sas_phy.frame_rcvd_lock, flags); memcpy(phy->frame_rcvd, &pPayload->sas_identify, - sizeof(struct sas_identify_frame)-4); - phy->frame_rcvd_size =3D sizeof(struct sas_identify_frame) - 4; + sizeof(struct sas_identify_frame_local)); + phy->frame_rcvd_size =3D sizeof(struct sas_identify_frame_local); pm8001_get_attached_sas_addr(phy, phy->sas_phy.attached_sas_addr); spin_unlock_irqrestore(&phy->sas_phy.frame_rcvd_lock, flags); if (pm8001_ha->flags =3D=3D PM8001F_RUN_TIME) @@ -3208,7 +3208,7 @@ hw_event_sata_phy_up(struct pm8001_hba_info *pm8001_h= a, void *piomb) phy->sas_phy.oob_mode =3D SATA_OOB_MODE; sas_notify_phy_event(&phy->sas_phy, PHYE_OOB_DONE, GFP_ATOMIC); spin_lock_irqsave(&phy->sas_phy.frame_rcvd_lock, flags); - memcpy(phy->frame_rcvd, ((u8 *)&pPayload->sata_fis - 4), + memcpy(phy->frame_rcvd, &pPayload->sata_fis, sizeof(struct dev_to_host_fis)); phy->frame_rcvd_size =3D sizeof(struct dev_to_host_fis); phy->identify.target_port_protocols =3D SAS_PROTOCOL_SATA; diff --git a/drivers/scsi/pm8001/pm8001_hwi.h b/drivers/scsi/pm8001/pm8001_= hwi.h index f1ce8df082b0..395be4fdbf81 100644 --- a/drivers/scsi/pm8001/pm8001_hwi.h +++ b/drivers/scsi/pm8001/pm8001_hwi.h @@ -153,8 +153,8 @@ struct mpi_msg_hdr{ struct phy_start_req { __le32 tag; __le32 ase_sh_lm_slr_phyid; - struct sas_identify_frame sas_identify; - u32 reserved[5]; + struct sas_identify_frame_local sas_identify; /* _local to omit CRC field= */ + u32 reserved[6]; } __attribute__((packed, aligned(4))); =20 =20 @@ -229,7 +229,7 @@ struct hw_event_resp { __le32 lr_evt_status_phyid_portid; __le32 evt_param; __le32 npip_portstate; - struct sas_identify_frame sas_identify; + struct sas_identify_frame_local sas_identify; /* _local to omit CRC field= */ struct dev_to_host_fis sata_fis; } __attribute__((packed, aligned(4))); =20 diff --git a/drivers/scsi/pm8001/pm80xx_hwi.c b/drivers/scsi/pm8001/pm80xx_= hwi.c index 954f307352e6..03293e9b84e6 100644 --- a/drivers/scsi/pm8001/pm80xx_hwi.c +++ b/drivers/scsi/pm8001/pm80xx_hwi.c @@ -3241,8 +3241,8 @@ hw_event_sas_phy_up(struct pm8001_hba_info *pm8001_ha= , void *piomb) sas_notify_phy_event(&phy->sas_phy, PHYE_OOB_DONE, GFP_ATOMIC); spin_lock_irqsave(&phy->sas_phy.frame_rcvd_lock, flags); memcpy(phy->frame_rcvd, &pPayload->sas_identify, - sizeof(struct sas_identify_frame)-4); - phy->frame_rcvd_size =3D sizeof(struct sas_identify_frame) - 4; + sizeof(struct sas_identify_frame_local)); + phy->frame_rcvd_size =3D sizeof(struct sas_identify_frame_local); pm8001_get_attached_sas_addr(phy, phy->sas_phy.attached_sas_addr); spin_unlock_irqrestore(&phy->sas_phy.frame_rcvd_lock, flags); if (pm8001_ha->flags =3D=3D PM8001F_RUN_TIME) @@ -3289,7 +3289,7 @@ hw_event_sata_phy_up(struct pm8001_hba_info *pm8001_h= a, void *piomb) phy->sas_phy.oob_mode =3D SATA_OOB_MODE; sas_notify_phy_event(&phy->sas_phy, PHYE_OOB_DONE, GFP_ATOMIC); spin_lock_irqsave(&phy->sas_phy.frame_rcvd_lock, flags); - memcpy(phy->frame_rcvd, ((u8 *)&pPayload->sata_fis - 4), + memcpy(phy->frame_rcvd, &pPayload->sata_fis, sizeof(struct dev_to_host_fis)); phy->frame_rcvd_size =3D sizeof(struct dev_to_host_fis); phy->identify.target_port_protocols =3D SAS_PROTOCOL_SATA; diff --git a/drivers/scsi/pm8001/pm80xx_hwi.h b/drivers/scsi/pm8001/pm80xx_= hwi.h index 2fa54b901a2e..41f10c970125 100644 --- a/drivers/scsi/pm8001/pm80xx_hwi.h +++ b/drivers/scsi/pm8001/pm80xx_hwi.h @@ -255,7 +255,7 @@ struct mpi_msg_hdr { struct phy_start_req { __le32 tag; __le32 ase_sh_lm_slr_phyid; - struct sas_identify_frame_local sas_identify; /* 28 Bytes */ + struct sas_identify_frame_local sas_identify; /* _local to omit CRC field= */ __le32 spasti; u32 reserved[21]; } __attribute__((packed, aligned(4))); @@ -331,7 +331,7 @@ struct hw_event_resp { __le32 lr_status_evt_portid; __le32 evt_param; __le32 phyid_npip_portstate; - struct sas_identify_frame sas_identify; + struct sas_identify_frame_local sas_identify; /* _local to omit CRC field= */ struct dev_to_host_fis sata_fis; } __attribute__((packed, aligned(4))); =20 --=20 2.54.0.746.g67dd491aae-goog