[SCSI] lpfc 8.3.45: Fix sysfs buffer overrun in read of lpfc_fcp_cpu_map for 128 CPUs. (76fd07a6) · Commits · e / devices / android_kernel_teracube_2e

drivers/scsi/lpfc/lpfc_attr.c

+22 −6

Original line number	Diff line number	Diff line
		@@ -4288,7 +4288,7 @@ lpfc_fcp_cpu_map_show(struct device dev, struct device_attribute attr,
		struct lpfc_vport vport = (struct lpfc_vport )shost->hostdata;
		struct lpfc_hba *phba = vport->phba;
		struct lpfc_vector_map_info *cpup;
		int idx, len = 0;
		int len = 0;

		if ((phba->sli_rev != LPFC_SLI_REV4) \|\|
		(phba->intr_type != MSIX))
		@@ -4316,23 +4316,39 @@ lpfc_fcp_cpu_map_show(struct device dev, struct device_attribute attr,
		break;
		}

		cpup = phba->sli4_hba.cpu_map;
		for (idx = 0; idx < phba->sli4_hba.num_present_cpu; idx++) {
		while (phba->sli4_hba.curr_disp_cpu < phba->sli4_hba.num_present_cpu) {
		cpup = &phba->sli4_hba.cpu_map[phba->sli4_hba.curr_disp_cpu];

		/* margin should fit in this and the truncated message */
		if (cpup->irq == LPFC_VECTOR_MAP_EMPTY)
		len += snprintf(buf + len, PAGE_SIZE-len,
		"CPU %02d io_chan %02d "
		"physid %d coreid %d\n",
		idx, cpup->channel_id, cpup->phys_id,
		phba->sli4_hba.curr_disp_cpu,
		cpup->channel_id, cpup->phys_id,
		cpup->core_id);
		else
		len += snprintf(buf + len, PAGE_SIZE-len,
		"CPU %02d io_chan %02d "
		"physid %d coreid %d IRQ %d\n",
		idx, cpup->channel_id, cpup->phys_id,
		phba->sli4_hba.curr_disp_cpu,
		cpup->channel_id, cpup->phys_id,
		cpup->core_id, cpup->irq);

		cpup++;
		phba->sli4_hba.curr_disp_cpu++;

		/* display max number of CPUs keeping some margin */
		if (phba->sli4_hba.curr_disp_cpu <
		phba->sli4_hba.num_present_cpu &&
		(len >= (PAGE_SIZE - 64))) {
		len += snprintf(buf + len, PAGE_SIZE-len, "more...\n");
		break;
		}
		}

		if (phba->sli4_hba.curr_disp_cpu == phba->sli4_hba.num_present_cpu)
		phba->sli4_hba.curr_disp_cpu = 0;

		return len;
		}

drivers/scsi/lpfc/lpfc_init.c

+2 −0

Original line number	Diff line number	Diff line
		@@ -5280,6 +5280,7 @@ lpfc_sli4_driver_resource_unset(struct lpfc_hba *phba)
		kfree(phba->sli4_hba.cpu_map);
		phba->sli4_hba.num_present_cpu = 0;
		phba->sli4_hba.num_online_cpu = 0;
		phba->sli4_hba.curr_disp_cpu = 0;

		/* Free memory allocated for msi-x interrupt vector entries */
		kfree(phba->sli4_hba.msix_entries);
		@@ -6850,6 +6851,7 @@ lpfc_sli4_queue_verify(struct lpfc_hba *phba)
		}
		phba->sli4_hba.num_online_cpu = i;
		phba->sli4_hba.num_present_cpu = lpfc_present_cpu;
		phba->sli4_hba.curr_disp_cpu = 0;

		if (i < cfg_fcp_io_channel) {
		lpfc_printf_log(phba,

drivers/scsi/lpfc/lpfc_sli4.h

+1 −0

Original line number	Diff line number	Diff line
		@@ -607,6 +607,7 @@ struct lpfc_sli4_hba {
		struct lpfc_vector_map_info *cpu_map;
		uint16_t num_online_cpu;
		uint16_t num_present_cpu;
		uint16_t curr_disp_cpu;
		};

		enum lpfc_sge_type {