Commit b7ec021f authored by Scott Teel's avatar Scott Teel Committed by James Bottomley

[SCSI] hpsa: fix potential array overflow in hpsa_update_scsi_devices

The currentsd[] array in hpsa_update_scsi_devices had room for
256 devices.  The code was iterating over however many physical
and logical devices plus an additional number of possible external
MSA2XXX controllers, which together could potentially exceed 256.

We increased the size of the currentsd array to 1024 + 1024 + 32 + 1
elements to reflect a reasonable maximum possible number of devices
which might be encountered.  We also don't just walk off the end
of the array if the array controller reports more devices than we
are prepared to handle, we just ignore the excessive devices.
Signed-off-by: default avatarScott Teel <scott.teel@hp.com>
Signed-off-by: default avatarStephen M. Cameron <scameron@beardog.cce.hp.com>
Signed-off-by: default avatarJames Bottomley <JBottomley@Parallels.com>
parent cfe5badc
...@@ -1734,7 +1734,6 @@ static int add_msa2xxx_enclosure_device(struct ctlr_info *h, ...@@ -1734,7 +1734,6 @@ static int add_msa2xxx_enclosure_device(struct ctlr_info *h,
if (is_scsi_rev_5(h)) if (is_scsi_rev_5(h))
return 0; /* p1210m doesn't need to do this. */ return 0; /* p1210m doesn't need to do this. */
#define MAX_MSA2XXX_ENCLOSURES 32
if (*nmsa2xxx_enclosures >= MAX_MSA2XXX_ENCLOSURES) { if (*nmsa2xxx_enclosures >= MAX_MSA2XXX_ENCLOSURES) {
dev_warn(&h->pdev->dev, "Maximum number of MSA2XXX " dev_warn(&h->pdev->dev, "Maximum number of MSA2XXX "
"enclosures exceeded. Check your hardware " "enclosures exceeded. Check your hardware "
...@@ -1868,6 +1867,13 @@ static void hpsa_update_scsi_devices(struct ctlr_info *h, int hostno) ...@@ -1868,6 +1867,13 @@ static void hpsa_update_scsi_devices(struct ctlr_info *h, int hostno)
/* Allocate the per device structures */ /* Allocate the per device structures */
for (i = 0; i < ndevs_to_allocate; i++) { for (i = 0; i < ndevs_to_allocate; i++) {
if (i >= HPSA_MAX_DEVICES) {
dev_warn(&h->pdev->dev, "maximum devices (%d) exceeded."
" %d devices ignored.\n", HPSA_MAX_DEVICES,
ndevs_to_allocate - HPSA_MAX_DEVICES);
break;
}
currentsd[i] = kzalloc(sizeof(*currentsd[i]), GFP_KERNEL); currentsd[i] = kzalloc(sizeof(*currentsd[i]), GFP_KERNEL);
if (!currentsd[i]) { if (!currentsd[i]) {
dev_warn(&h->pdev->dev, "out of memory at %s:%d\n", dev_warn(&h->pdev->dev, "out of memory at %s:%d\n",
......
...@@ -102,7 +102,6 @@ struct ctlr_info { ...@@ -102,7 +102,6 @@ struct ctlr_info {
struct Scsi_Host *scsi_host; struct Scsi_Host *scsi_host;
spinlock_t devlock; /* to protect hba[ctlr]->dev[]; */ spinlock_t devlock; /* to protect hba[ctlr]->dev[]; */
int ndevices; /* number of used elements in .dev[] array. */ int ndevices; /* number of used elements in .dev[] array. */
#define HPSA_MAX_DEVICES 256
struct hpsa_scsi_dev_t *dev[HPSA_MAX_DEVICES]; struct hpsa_scsi_dev_t *dev[HPSA_MAX_DEVICES];
/* /*
* Performant mode tables. * Performant mode tables.
......
...@@ -123,8 +123,11 @@ union u64bit { ...@@ -123,8 +123,11 @@ union u64bit {
/* FIXME this is a per controller value (barf!) */ /* FIXME this is a per controller value (barf!) */
#define HPSA_MAX_TARGETS_PER_CTLR 16 #define HPSA_MAX_TARGETS_PER_CTLR 16
#define HPSA_MAX_LUN 256 #define HPSA_MAX_LUN 1024
#define HPSA_MAX_PHYS_LUN 1024 #define HPSA_MAX_PHYS_LUN 1024
#define MAX_MSA2XXX_ENCLOSURES 32
#define HPSA_MAX_DEVICES (HPSA_MAX_PHYS_LUN + HPSA_MAX_LUN + \
MAX_MSA2XXX_ENCLOSURES + 1) /* + 1 is for the controller itself */
/* SCSI-3 Commands */ /* SCSI-3 Commands */
#pragma pack(1) #pragma pack(1)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment