scsi: lpfc: Fix oops due to overrun when reading SLI3 data
When using DUMP on SLI3 to read VPD and Port status data (config region 23), the adapter is overruning the kmalloc'd buffer causing havoc on other consumers of the allocation pools. Rework the loops processing the dump data and validate/size memory lengths before performing bcopy. Link: https://lore.kernel.org/r/20200630215001.70793-6-jsmart2021@gmail.com Signed-off-by: Dick Kennedy <dick.kennedy@broadcom.com> Signed-off-by: James Smart <jsmart2021@gmail.com> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
This commit is contained in:
parent
9806c984d4
commit
d91e3abb68
@ -253,13 +253,15 @@ lpfc_config_port_prep(struct lpfc_hba *phba)
|
|||||||
*/
|
*/
|
||||||
if (mb->un.varDmp.word_cnt == 0)
|
if (mb->un.varDmp.word_cnt == 0)
|
||||||
break;
|
break;
|
||||||
if (mb->un.varDmp.word_cnt > DMP_VPD_SIZE - offset)
|
|
||||||
mb->un.varDmp.word_cnt = DMP_VPD_SIZE - offset;
|
i = mb->un.varDmp.word_cnt * sizeof(uint32_t);
|
||||||
|
if (offset + i > DMP_VPD_SIZE)
|
||||||
|
i = DMP_VPD_SIZE - offset;
|
||||||
lpfc_sli_pcimem_bcopy(((uint8_t *)mb) + DMP_RSP_OFFSET,
|
lpfc_sli_pcimem_bcopy(((uint8_t *)mb) + DMP_RSP_OFFSET,
|
||||||
lpfc_vpd_data + offset,
|
lpfc_vpd_data + offset, i);
|
||||||
mb->un.varDmp.word_cnt);
|
offset += i;
|
||||||
offset += mb->un.varDmp.word_cnt;
|
} while (offset < DMP_VPD_SIZE);
|
||||||
} while (mb->un.varDmp.word_cnt && offset < DMP_VPD_SIZE);
|
|
||||||
lpfc_parse_vpd(phba, lpfc_vpd_data, offset);
|
lpfc_parse_vpd(phba, lpfc_vpd_data, offset);
|
||||||
|
|
||||||
kfree(lpfc_vpd_data);
|
kfree(lpfc_vpd_data);
|
||||||
|
@ -19326,7 +19326,7 @@ lpfc_sli_get_config_region23(struct lpfc_hba *phba, char *rgn23_data)
|
|||||||
LPFC_MBOXQ_t *pmb = NULL;
|
LPFC_MBOXQ_t *pmb = NULL;
|
||||||
MAILBOX_t *mb;
|
MAILBOX_t *mb;
|
||||||
uint32_t offset = 0;
|
uint32_t offset = 0;
|
||||||
int rc;
|
int i, rc;
|
||||||
|
|
||||||
if (!rgn23_data)
|
if (!rgn23_data)
|
||||||
return 0;
|
return 0;
|
||||||
@ -19356,14 +19356,14 @@ lpfc_sli_get_config_region23(struct lpfc_hba *phba, char *rgn23_data)
|
|||||||
*/
|
*/
|
||||||
if (mb->un.varDmp.word_cnt == 0)
|
if (mb->un.varDmp.word_cnt == 0)
|
||||||
break;
|
break;
|
||||||
if (mb->un.varDmp.word_cnt > DMP_RGN23_SIZE - offset)
|
|
||||||
mb->un.varDmp.word_cnt = DMP_RGN23_SIZE - offset;
|
|
||||||
|
|
||||||
|
i = mb->un.varDmp.word_cnt * sizeof(uint32_t);
|
||||||
|
if (offset + i > DMP_RGN23_SIZE)
|
||||||
|
i = DMP_RGN23_SIZE - offset;
|
||||||
lpfc_sli_pcimem_bcopy(((uint8_t *)mb) + DMP_RSP_OFFSET,
|
lpfc_sli_pcimem_bcopy(((uint8_t *)mb) + DMP_RSP_OFFSET,
|
||||||
rgn23_data + offset,
|
rgn23_data + offset, i);
|
||||||
mb->un.varDmp.word_cnt);
|
offset += i;
|
||||||
offset += mb->un.varDmp.word_cnt;
|
} while (offset < DMP_RGN23_SIZE);
|
||||||
} while (mb->un.varDmp.word_cnt && offset < DMP_RGN23_SIZE);
|
|
||||||
|
|
||||||
mempool_free(pmb, phba->mbox_mem_pool);
|
mempool_free(pmb, phba->mbox_mem_pool);
|
||||||
return offset;
|
return offset;
|
||||||
|
Loading…
Reference in New Issue
Block a user