> On Sep 8, 2021, at 2:28 AM, Nilesh Javali <njavali@xxxxxxxxxxx> wrote:
>
> From: Arun Easi <aeasi@xxxxxxxxxxx>
>
> Kernel crashes when accessing port_speed sysfs file.
> The issue happens on a CNA when the local array was
> accessed beyond bounds. Fix this by changing the lookup.
>
> BUG: unable to handle kernel paging request at 0000000000004000
> PGD 0 P4D 0
> Oops: 0000 [#1] SMP PTI
> CPU: 15 PID: 455213 Comm: sosreport Kdump: loaded Not tainted
> 4.18.0-305.7.1.el8_4.x86_64 #1
> RIP: 0010:string_nocheck+0x12/0x70
> Code: 00 00 4c 89 e2 be 20 00 00 00 48 89 ef e8 86 9a 00 00 4c 01
> e3 eb 81 90 49 89 f2 48 89 ce 48 89 f8 48 c1 fe 30 66 85 f6 74 4f <44> 0f b6 0a
> 45 84 c9 74 46 83 ee 01 41 b8 01 00 00 00 48 8d 7c 37
> RSP: 0018:ffffb5141c1afcf0 EFLAGS: 00010286
> RAX: ffff8bf4009f8000 RBX: ffff8bf4009f9000 RCX: ffff0a00ffffff04
> RDX: 0000000000004000 RSI: ffffffffffffffff RDI: ffff8bf4009f8000
> RBP: 0000000000004000 R08: 0000000000000001 R09: ffffb5141c1afb84
> R10: ffff8bf4009f9000 R11: ffffb5141c1afce6 R12: ffff0a00ffffff04
> R13: ffffffffc08e21aa R14: 0000000000001000 R15: ffffffffc08e21aa
> FS: 00007fc4ebfff700(0000) GS:ffff8c717f7c0000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 0000000000004000 CR3: 000000edfdee6006 CR4: 00000000001706e0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> Call Trace:
> string+0x40/0x50
> vsnprintf+0x33c/0x520
> scnprintf+0x4d/0x90
> qla2x00_port_speed_show+0xb5/0x100 [qla2xxx]
> dev_attr_show+0x1c/0x40
> sysfs_kf_seq_show+0x9b/0x100
> seq_read+0x153/0x410
> vfs_read+0x91/0x140
> ksys_read+0x4f/0xb0
> do_syscall_64+0x5b/0x1a0
> entry_SYSCALL_64_after_hwframe+0x65/0xca
>
Missing yet another
Fixes: 4910b524ac9e6 ("scsi: qla2xxx: Add support for setting port speed”)
Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Arun Easi <aeasi@xxxxxxxxxxx>
> Signed-off-by: Nilesh Javali <njavali@xxxxxxxxxxx>
> ---
> drivers/scsi/qla2xxx/qla_attr.c | 24 ++++++++++++++++++++++--
> 1 file changed, 22 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/scsi/qla2xxx/qla_attr.c b/drivers/scsi/qla2xxx/qla_attr.c
> index d09776b77af2..cb5f2ecb652d 100644
> --- a/drivers/scsi/qla2xxx/qla_attr.c
> +++ b/drivers/scsi/qla2xxx/qla_attr.c
> @@ -1868,6 +1868,18 @@ qla2x00_port_speed_store(struct device *dev, struct device_attribute *attr,
> return strlen(buf);
> }
>
> +static const struct {
> + u16 rate;
> + char *str;
> +} port_speed_str[] = {
> + { PORT_SPEED_4GB, "4" },
> + { PORT_SPEED_8GB, "8" },
> + { PORT_SPEED_16GB, "16" },
> + { PORT_SPEED_32GB, "32" },
> + { PORT_SPEED_64GB, "64" },
> + { PORT_SPEED_10GB, "10" },
> +};
> +
> static ssize_t
> qla2x00_port_speed_show(struct device *dev, struct device_attribute *attr,
> char *buf)
> @@ -1875,7 +1887,8 @@ qla2x00_port_speed_show(struct device *dev, struct device_attribute *attr,
> struct scsi_qla_host *vha = shost_priv(dev_to_shost(dev));
> struct qla_hw_data *ha = vha->hw;
> ssize_t rval;
> - char *spd[7] = {"0", "0", "0", "4", "8", "16", "32"};
> + u16 i;
> + char *speed = "Unknown";
>
> rval = qla2x00_get_data_rate(vha);
> if (rval != QLA_SUCCESS) {
> @@ -1884,7 +1897,14 @@ qla2x00_port_speed_show(struct device *dev, struct device_attribute *attr,
> return -EINVAL;
> }
>
> - return scnprintf(buf, PAGE_SIZE, "%s\n", spd[ha->link_data_rate]);
> + for (i = 0; i < ARRAY_SIZE(port_speed_str); i++) {
> + if (port_speed_str[i].rate != ha->link_data_rate)
> + continue;
> + speed = port_speed_str[i].str;
> + break;
> + }
> +
> + return scnprintf(buf, PAGE_SIZE, "%s\n", speed);
> }
>
> static ssize_t
> --
> 2.19.0.rc0
>
Reviewed-by: Himanshu Madhani <himanshu.madhani@xxxxxxxxxx>
--
Himanshu Madhani Oracle Linux Engineering
