scsi: lpfc: Fix System panic after loading the driver
authorJames Smart <jsmart2021@gmail.com>
Fri, 2 Jun 2017 04:07:05 +0000 (21:07 -0700)
committerMartin K. Petersen <martin.petersen@oracle.com>
Tue, 13 Jun 2017 01:37:31 +0000 (21:37 -0400)
System panic with general protection fault during driver load

The driver uses a static array sli4_hba.handler_name to store the irq
handler names. If the io_channel_irqs exceeds the pre-allocated size
(32+1), then the driver will overwrite other fields of sli4_hba.

Fix: Dynamically allocate handler_name.

Signed-off-by: Dick Kennedy <dick.kennedy@broadcom.com>
Signed-off-by: James Smart <james.smart@broadcom.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
drivers/scsi/lpfc/lpfc_init.c
drivers/scsi/lpfc/lpfc_sli4.h

index 3064f07680333fa643e4d0a26eb823e8a014e179..a825806036c348a91ed3ba421b6e642152b13232 100644 (file)
@@ -9665,6 +9665,7 @@ static int
 lpfc_sli4_enable_msix(struct lpfc_hba *phba)
 {
        int vectors, rc, index;
+       char *name;
 
        /* Set up MSI-X multi-message vectors */
        vectors = phba->io_channel_irqs;
@@ -9683,9 +9684,9 @@ lpfc_sli4_enable_msix(struct lpfc_hba *phba)
 
        /* Assign MSI-X vectors to interrupt handlers */
        for (index = 0; index < vectors; index++) {
-               memset(&phba->sli4_hba.handler_name[index], 0, 16);
-               snprintf((char *)&phba->sli4_hba.handler_name[index],
-                        LPFC_SLI4_HANDLER_NAME_SZ,
+               name = phba->sli4_hba.hba_eq_hdl[index].handler_name;
+               memset(name, 0, LPFC_SLI4_HANDLER_NAME_SZ);
+               snprintf(name, LPFC_SLI4_HANDLER_NAME_SZ,
                         LPFC_DRIVER_HANDLER_NAME"%d", index);
 
                phba->sli4_hba.hba_eq_hdl[index].idx = index;
@@ -9694,12 +9695,12 @@ lpfc_sli4_enable_msix(struct lpfc_hba *phba)
                if (phba->cfg_fof && (index == (vectors - 1)))
                        rc = request_irq(pci_irq_vector(phba->pcidev, index),
                                 &lpfc_sli4_fof_intr_handler, 0,
-                                (char *)&phba->sli4_hba.handler_name[index],
+                                name,
                                 &phba->sli4_hba.hba_eq_hdl[index]);
                else
                        rc = request_irq(pci_irq_vector(phba->pcidev, index),
                                 &lpfc_sli4_hba_intr_handler, 0,
-                                (char *)&phba->sli4_hba.handler_name[index],
+                                name,
                                 &phba->sli4_hba.hba_eq_hdl[index]);
                if (rc) {
                        lpfc_printf_log(phba, KERN_WARNING, LOG_INIT,
index cf863db27700a2400463bcc65777ec15f9806da4..28b75e08e044af20313113b83baaa51f10ae3e9a 100644 (file)
@@ -407,8 +407,10 @@ struct lpfc_max_cfg_param {
 
 struct lpfc_hba;
 /* SLI4 HBA multi-fcp queue handler struct */
+#define LPFC_SLI4_HANDLER_NAME_SZ      16
 struct lpfc_hba_eq_hdl {
        uint32_t idx;
+       char handler_name[LPFC_SLI4_HANDLER_NAME_SZ];
        struct lpfc_hba *phba;
        atomic_t hba_eq_in_use;
        struct cpumask *cpumask;
@@ -480,7 +482,6 @@ struct lpfc_sli4_lnk_info {
 
 #define LPFC_SLI4_HANDLER_CNT          (LPFC_HBA_IO_CHAN_MAX+ \
                                         LPFC_FOF_IO_CHAN_NUM)
-#define LPFC_SLI4_HANDLER_NAME_SZ      16
 
 /* Used for IRQ vector to CPU mapping */
 struct lpfc_vector_map_info {
@@ -548,7 +549,6 @@ struct lpfc_sli4_hba {
        uint32_t ue_to_rp;
        struct lpfc_register sli_intf;
        struct lpfc_pc_sli4_params pc_sli4_params;
-       uint8_t handler_name[LPFC_SLI4_HANDLER_CNT][LPFC_SLI4_HANDLER_NAME_SZ];
        struct lpfc_hba_eq_hdl *hba_eq_hdl; /* HBA per-WQ handle */
 
        /* Pointers to the constructed SLI4 queues */