On 11/18/19 3:22 PM, Daniel Wagner wrote: > Hi Hannes, > > On Mon, Nov 18, 2019 at 01:30:12PM +0100, Hannes Reinecke wrote: >> The lpfc driver allocates a cpu_map based on the number of possible >> cpus during startup. If a CPU hotplug occurs the number of CPUs >> might change, causing an out-of-bounds access when trying to lookup >> the hardware index for a given CPU. >> >> Suggested-by: Daniel Wagner <daniel.wagner@xxxxxxxx> >> Signed-off-by: Hannes Reinecke <hare@xxxxxxx> >> --- >> drivers/scsi/lpfc/lpfc_scsi.c | 3 ++- >> 1 file changed, 2 insertions(+), 1 deletion(-) >> >> diff --git a/drivers/scsi/lpfc/lpfc_scsi.c b/drivers/scsi/lpfc/lpfc_scsi.c >> index ba26df90a36a..2380452a8efd 100644 >> --- a/drivers/scsi/lpfc/lpfc_scsi.c >> +++ b/drivers/scsi/lpfc/lpfc_scsi.c >> @@ -642,7 +642,8 @@ lpfc_get_scsi_buf_s4(struct lpfc_hba *phba, struct lpfc_nodelist *ndlp, >> int tag; >> struct fcp_cmd_rsp_buf *tmp = NULL; >> >> - cpu = raw_smp_processor_id(); >> + cpu = min_t(u32, raw_smp_processor_id(), >> + phba->sli4_hba.num_possible_cpu); > > The index is limited by phba->cfg_hdw_queue and not the number of CPUs. > Nope. phba->sli4_hba.cpu_map = kcalloc(phba->sli4_hba.num_possible_cpu, sizeof(struct lpfc_vector_map_info), GFP_KERNEL); Cheers, Hannes -- Dr. Hannes Reinecke Teamlead Storage & Networking hare@xxxxxxx +49 911 74053 688 SUSE Software Solutions Germany GmbH, Maxfeldstr. 5, 90409 Nürnberg HRB 247165 (AG München), GF: Felix Imendörffer
