tree: https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git kspp/memcpy/next-20210519/v0 head: 48fff7f29af65f2ab9e56bc71a0ef652f91a68cd commit: 431fe12213302a60466170edda968b1ce84c9c16 [49/53] fortify: Detect struct member overflows in mem{cpy,move,set}() config: parisc-allyesconfig (attached as .config) compiler: hppa-linux-gcc (GCC) 9.3.0 reproduce (this is a W=1 build): wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross chmod +x ~/bin/make.cross # https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git/commit/?id... git remote add kees https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git git fetch --no-tags kees kspp/memcpy/next-20210519/v0 git checkout 431fe12213302a60466170edda968b1ce84c9c16 # save the attached .config to linux build tree COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-9.3.0 make.cross ARCH=parisc If you fix the issue, kindly add following tag as appropriate Reported-by: kernel test robot <lkp(a)intel.com&gt; All warnings (new ones prefixed by >>): In file included from include/linux/uuid.h:12, from include/linux/mod_devicetable.h:13, from arch/parisc/include/asm/hardware.h:5, from arch/parisc/include/asm/processor.h:16, from arch/parisc/include/asm/spinlock.h:7, from arch/parisc/include/asm/atomic.h:22, from include/linux/atomic.h:7, from arch/parisc/include/asm/bitops.h:13, from include/linux/bitops.h:32, from include/linux/kernel.h:12, from arch/parisc/include/asm/bug.h:5, from include/linux/bug.h:5, from include/linux/thread_info.h:13, from include/asm-generic/current.h:5, from ./arch/parisc/include/generated/asm/current.h:1, from include/linux/sched.h:12, from include/linux/blkdev.h:5, from drivers/scsi/aha1740.c:40: drivers/scsi/aha1740.c: In function 'aha1740_intr_handle': 271 | sizeof(SCtmp->sense_buffer), | ^ include/linux/string.h:276:21: note: in definition of macro 'memcpy_and_pad' 276 | memcpy(dest, src, dest_len); \ | ^~~~~~~~ vim +271 drivers/scsi/aha1740.c ^1da177e4c3f415 Linus Torvalds 2005-04-16 206 ^1da177e4c3f415 Linus Torvalds 2005-04-16 207 /* A "high" level interrupt handler */ 7d12e780e003f93 David Howells 2006-10-05 208 static irqreturn_t aha1740_intr_handle(int irq, void *dev_id) ^1da177e4c3f415 Linus Torvalds 2005-04-16 209 { ^1da177e4c3f415 Linus Torvalds 2005-04-16 210 struct Scsi_Host *host = (struct Scsi_Host *) dev_id; 91ebc1facd7797d Johannes Thumshirn 2018-06-13 211 void (*my_done)(struct scsi_cmnd *); ^1da177e4c3f415 Linus Torvalds 2005-04-16 212 int errstatus, adapstat; ^1da177e4c3f415 Linus Torvalds 2005-04-16 213 int number_serviced; ^1da177e4c3f415 Linus Torvalds 2005-04-16 214 struct ecb *ecbptr; 91ebc1facd7797d Johannes Thumshirn 2018-06-13 215 struct scsi_cmnd *SCtmp; ^1da177e4c3f415 Linus Torvalds 2005-04-16 216 unsigned int base; ^1da177e4c3f415 Linus Torvalds 2005-04-16 217 unsigned long flags; ^1da177e4c3f415 Linus Torvalds 2005-04-16 218 int handled = 0; ^1da177e4c3f415 Linus Torvalds 2005-04-16 219 struct aha1740_sg *sgptr; ^1da177e4c3f415 Linus Torvalds 2005-04-16 220 struct eisa_device *edev; ^1da177e4c3f415 Linus Torvalds 2005-04-16 221 ^1da177e4c3f415 Linus Torvalds 2005-04-16 222 if (!host) ^1da177e4c3f415 Linus Torvalds 2005-04-16 223 panic("aha1740.c: Irq from unknown host!\n"); ^1da177e4c3f415 Linus Torvalds 2005-04-16 224 spin_lock_irqsave(host->host_lock, flags); ^1da177e4c3f415 Linus Torvalds 2005-04-16 225 base = host->io_port; ^1da177e4c3f415 Linus Torvalds 2005-04-16 226 number_serviced = 0; ^1da177e4c3f415 Linus Torvalds 2005-04-16 227 edev = HOSTDATA(host)->edev; ^1da177e4c3f415 Linus Torvalds 2005-04-16 228 ^1da177e4c3f415 Linus Torvalds 2005-04-16 229 while(inb(G2STAT(base)) & G2STAT_INTPEND) { ^1da177e4c3f415 Linus Torvalds 2005-04-16 230 handled = 1; ^1da177e4c3f415 Linus Torvalds 2005-04-16 231 DEB(printk("aha1740_intr top of loop.\n")); ^1da177e4c3f415 Linus Torvalds 2005-04-16 232 adapstat = inb(G2INTST(base)); ^1da177e4c3f415 Linus Torvalds 2005-04-16 233 ecbptr = ecb_dma_to_cpu (host, inl(MBOXIN0(base))); ^1da177e4c3f415 Linus Torvalds 2005-04-16 234 outb(G2CNTRL_IRST,G2CNTRL(base)); /* interrupt reset */ ^1da177e4c3f415 Linus Torvalds 2005-04-16 235 ^1da177e4c3f415 Linus Torvalds 2005-04-16 236 switch ( adapstat & G2INTST_MASK ) { ^1da177e4c3f415 Linus Torvalds 2005-04-16 237 case G2INTST_CCBRETRY: ^1da177e4c3f415 Linus Torvalds 2005-04-16 238 case G2INTST_CCBERROR: ^1da177e4c3f415 Linus Torvalds 2005-04-16 239 case G2INTST_CCBGOOD: ^1da177e4c3f415 Linus Torvalds 2005-04-16 240 /* Host Ready -> Mailbox in complete */ ^1da177e4c3f415 Linus Torvalds 2005-04-16 241 outb(G2CNTRL_HRDY,G2CNTRL(base)); ^1da177e4c3f415 Linus Torvalds 2005-04-16 242 if (!ecbptr) { ^1da177e4c3f415 Linus Torvalds 2005-04-16 243 printk("Aha1740 null ecbptr in interrupt (%x,%x,%x,%d)\n", ^1da177e4c3f415 Linus Torvalds 2005-04-16 244 inb(G2STAT(base)),adapstat, ^1da177e4c3f415 Linus Torvalds 2005-04-16 245 inb(G2INTST(base)), number_serviced++); ^1da177e4c3f415 Linus Torvalds 2005-04-16 246 continue; ^1da177e4c3f415 Linus Torvalds 2005-04-16 247 } ^1da177e4c3f415 Linus Torvalds 2005-04-16 248 SCtmp = ecbptr->SCpnt; ^1da177e4c3f415 Linus Torvalds 2005-04-16 249 if (!SCtmp) { ^1da177e4c3f415 Linus Torvalds 2005-04-16 250 printk("Aha1740 null SCtmp in interrupt (%x,%x,%x,%d)\n", ^1da177e4c3f415 Linus Torvalds 2005-04-16 251 inb(G2STAT(base)),adapstat, ^1da177e4c3f415 Linus Torvalds 2005-04-16 252 inb(G2INTST(base)), number_serviced++); ^1da177e4c3f415 Linus Torvalds 2005-04-16 253 continue; ^1da177e4c3f415 Linus Torvalds 2005-04-16 254 } ^1da177e4c3f415 Linus Torvalds 2005-04-16 255 sgptr = (struct aha1740_sg *) SCtmp->host_scribble; c66cc13c16377d1 FUJITA Tomonori 2007-05-14 256 scsi_dma_unmap(SCtmp); ^1da177e4c3f415 Linus Torvalds 2005-04-16 257 ^1da177e4c3f415 Linus Torvalds 2005-04-16 258 /* Free the sg block */ ^1da177e4c3f415 Linus Torvalds 2005-04-16 259 dma_free_coherent (&edev->dev, ^1da177e4c3f415 Linus Torvalds 2005-04-16 260 sizeof (struct aha1740_sg), ^1da177e4c3f415 Linus Torvalds 2005-04-16 261 SCtmp->host_scribble, ^1da177e4c3f415 Linus Torvalds 2005-04-16 262 sgptr->sg_dma_addr); ^1da177e4c3f415 Linus Torvalds 2005-04-16 263 ^1da177e4c3f415 Linus Torvalds 2005-04-16 264 /* Fetch the sense data, and tuck it away, in ^1da177e4c3f415 Linus Torvalds 2005-04-16 265 the required slot. The Adaptec ^1da177e4c3f415 Linus Torvalds 2005-04-16 266 automatically fetches it, and there is no ^1da177e4c3f415 Linus Torvalds 2005-04-16 267 guarantee that we will still have it in the ^1da177e4c3f415 Linus Torvalds 2005-04-16 268 cdb when we come back */ ^1da177e4c3f415 Linus Torvalds 2005-04-16 269 if ( (adapstat & G2INTST_MASK) == G2INTST_CCBERROR ) { 123445f622832f3 Kees Cook 2021-04-14 270 memcpy_and_pad(SCtmp->sense_buffer, 123445f622832f3 Kees Cook 2021-04-14 @271 sizeof(SCtmp->sense_buffer), 123445f622832f3 Kees Cook 2021-04-14 272 ecbptr->sense, 123445f622832f3 Kees Cook 2021-04-14 273 min(sizeof(SCtmp->sense_buffer), 123445f622832f3 Kees Cook 2021-04-14 274 sizeof(ecbptr->sense)), 123445f622832f3 Kees Cook 2021-04-14 275 0); ^1da177e4c3f415 Linus Torvalds 2005-04-16 276 errstatus = aha1740_makecode(ecbptr->sense,ecbptr->status); ^1da177e4c3f415 Linus Torvalds 2005-04-16 277 } else ^1da177e4c3f415 Linus Torvalds 2005-04-16 278 errstatus = 0; ^1da177e4c3f415 Linus Torvalds 2005-04-16 279 DEB(if (errstatus) ^1da177e4c3f415 Linus Torvalds 2005-04-16 280 printk("aha1740_intr_handle: returning %6x\n", ^1da177e4c3f415 Linus Torvalds 2005-04-16 281 errstatus)); ^1da177e4c3f415 Linus Torvalds 2005-04-16 282 SCtmp->result = errstatus; ^1da177e4c3f415 Linus Torvalds 2005-04-16 283 my_done = ecbptr->done; ^1da177e4c3f415 Linus Torvalds 2005-04-16 284 memset(ecbptr,0,sizeof(struct ecb)); ^1da177e4c3f415 Linus Torvalds 2005-04-16 285 if ( my_done ) ^1da177e4c3f415 Linus Torvalds 2005-04-16 286 my_done(SCtmp); ^1da177e4c3f415 Linus Torvalds 2005-04-16 287 break; ^1da177e4c3f415 Linus Torvalds 2005-04-16 288 ^1da177e4c3f415 Linus Torvalds 2005-04-16 289 case G2INTST_HARDFAIL: ^1da177e4c3f415 Linus Torvalds 2005-04-16 290 printk(KERN_ALERT "aha1740 hardware failure!\n"); ^1da177e4c3f415 Linus Torvalds 2005-04-16 291 panic("aha1740.c"); /* Goodbye */ ^1da177e4c3f415 Linus Torvalds 2005-04-16 292 ^1da177e4c3f415 Linus Torvalds 2005-04-16 293 case G2INTST_ASNEVENT: ^1da177e4c3f415 Linus Torvalds 2005-04-16 294 printk("aha1740 asynchronous event: %02x %02x %02x %02x %02x\n", ^1da177e4c3f415 Linus Torvalds 2005-04-16 295 adapstat, ^1da177e4c3f415 Linus Torvalds 2005-04-16 296 inb(MBOXIN0(base)), ^1da177e4c3f415 Linus Torvalds 2005-04-16 297 inb(MBOXIN1(base)), ^1da177e4c3f415 Linus Torvalds 2005-04-16 298 inb(MBOXIN2(base)), ^1da177e4c3f415 Linus Torvalds 2005-04-16 299 inb(MBOXIN3(base))); /* Say What? */ ^1da177e4c3f415 Linus Torvalds 2005-04-16 300 /* Host Ready -> Mailbox in complete */ ^1da177e4c3f415 Linus Torvalds 2005-04-16 301 outb(G2CNTRL_HRDY,G2CNTRL(base)); ^1da177e4c3f415 Linus Torvalds 2005-04-16 302 break; ^1da177e4c3f415 Linus Torvalds 2005-04-16 303 ^1da177e4c3f415 Linus Torvalds 2005-04-16 304 case G2INTST_CMDGOOD: ^1da177e4c3f415 Linus Torvalds 2005-04-16 305 /* set immediate command success flag here: */ ^1da177e4c3f415 Linus Torvalds 2005-04-16 306 break; ^1da177e4c3f415 Linus Torvalds 2005-04-16 307 ^1da177e4c3f415 Linus Torvalds 2005-04-16 308 case G2INTST_CMDERROR: ^1da177e4c3f415 Linus Torvalds 2005-04-16 309 /* Set immediate command failure flag here: */ ^1da177e4c3f415 Linus Torvalds 2005-04-16 310 break; ^1da177e4c3f415 Linus Torvalds 2005-04-16 311 } ^1da177e4c3f415 Linus Torvalds 2005-04-16 312 number_serviced++; ^1da177e4c3f415 Linus Torvalds 2005-04-16 313 } ^1da177e4c3f415 Linus Torvalds 2005-04-16 314 ^1da177e4c3f415 Linus Torvalds 2005-04-16 315 spin_unlock_irqrestore(host->host_lock, flags); ^1da177e4c3f415 Linus Torvalds 2005-04-16 316 return IRQ_RETVAL(handled); ^1da177e4c3f415 Linus Torvalds 2005-04-16 317 } ^1da177e4c3f415 Linus Torvalds 2005-04-16 318 :::::: The code at line 271 was first introduced by commit :::::: 123445f622832f3b4c854f0d32a6e109a51d37da scsi: aha1740: Avoid over-read of sense buffer :::::: TO: Kees Cook <keescook(a)chromium.org&gt; :::::: CC: Kees Cook <keescook(a)chromium.org&gt; --- 0-DAY CI Kernel Test Service, Intel Corporation https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org