On 11/18/2019 4:30 AM, Hannes Reinecke wrote:
The lpfc driver allocates a cpu_map based on the number of possible
cpus during startup. If a CPU hotplug occurs the number of CPUs
might change, causing an out-of-bounds access when trying to lookup
the hardware index for a given CPU.
Suggested-by: Daniel Wagner <daniel.wagner@xxxxxxxx>
Signed-off-by: Hannes Reinecke <hare@xxxxxxx>
---
drivers/scsi/lpfc/lpfc_scsi.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/scsi/lpfc/lpfc_scsi.c b/drivers/scsi/lpfc/lpfc_scsi.c
index ba26df90a36a..2380452a8efd 100644
--- a/drivers/scsi/lpfc/lpfc_scsi.c
+++ b/drivers/scsi/lpfc/lpfc_scsi.c
@@ -642,7 +642,8 @@ lpfc_get_scsi_buf_s4(struct lpfc_hba *phba, struct lpfc_nodelist *ndlp,
int tag;
struct fcp_cmd_rsp_buf *tmp = NULL;
- cpu = raw_smp_processor_id();
+ cpu = min_t(u32, raw_smp_processor_id(),
+ phba->sli4_hba.num_possible_cpu);
if (cmnd && phba->cfg_fcp_io_sched == LPFC_FCP_SCHED_BY_HDWQ) {
tag = blk_mq_unique_tag(cmnd->request);
idx = blk_mq_unique_tag_to_hwq(tag);
This should be unnecessary with the lpfc 12.6.0.1 and 12.6.0.2 patches
that tie into cpu onling/offlining and cpu hot add.
I am curious, how if a cpu is hot removed - how num_possible dynamically
changes (to a lower value ?) such that a thread can be running on a cpu
that returns a higher cpu number than num_possible ?
-- james
