> On Sep 8, 2021, at 2:28 AM, Nilesh Javali <njavali@xxxxxxxxxxx> wrote: > > From: Arun Easi <aeasi@xxxxxxxxxxx> > > Kernel crashes when accessing port_speed sysfs file. > The issue happens on a CNA when the local array was > accessed beyond bounds. Fix this by changing the lookup. > > BUG: unable to handle kernel paging request at 0000000000004000 > PGD 0 P4D 0 > Oops: 0000 [#1] SMP PTI > CPU: 15 PID: 455213 Comm: sosreport Kdump: loaded Not tainted > 4.18.0-305.7.1.el8_4.x86_64 #1 > RIP: 0010:string_nocheck+0x12/0x70 > Code: 00 00 4c 89 e2 be 20 00 00 00 48 89 ef e8 86 9a 00 00 4c 01 > e3 eb 81 90 49 89 f2 48 89 ce 48 89 f8 48 c1 fe 30 66 85 f6 74 4f <44> 0f b6 0a > 45 84 c9 74 46 83 ee 01 41 b8 01 00 00 00 48 8d 7c 37 > RSP: 0018:ffffb5141c1afcf0 EFLAGS: 00010286 > RAX: ffff8bf4009f8000 RBX: ffff8bf4009f9000 RCX: ffff0a00ffffff04 > RDX: 0000000000004000 RSI: ffffffffffffffff RDI: ffff8bf4009f8000 > RBP: 0000000000004000 R08: 0000000000000001 R09: ffffb5141c1afb84 > R10: ffff8bf4009f9000 R11: ffffb5141c1afce6 R12: ffff0a00ffffff04 > R13: ffffffffc08e21aa R14: 0000000000001000 R15: ffffffffc08e21aa > FS: 00007fc4ebfff700(0000) GS:ffff8c717f7c0000(0000) knlGS:0000000000000000 > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > CR2: 0000000000004000 CR3: 000000edfdee6006 CR4: 00000000001706e0 > DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 > DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 > Call Trace: > string+0x40/0x50 > vsnprintf+0x33c/0x520 > scnprintf+0x4d/0x90 > qla2x00_port_speed_show+0xb5/0x100 [qla2xxx] > dev_attr_show+0x1c/0x40 > sysfs_kf_seq_show+0x9b/0x100 > seq_read+0x153/0x410 > vfs_read+0x91/0x140 > ksys_read+0x4f/0xb0 > do_syscall_64+0x5b/0x1a0 > entry_SYSCALL_64_after_hwframe+0x65/0xca > Missing yet another Fixes: 4910b524ac9e6 ("scsi: qla2xxx: Add support for setting port speed”) Cc: stable@xxxxxxxxxxxxxxx > Signed-off-by: Arun Easi <aeasi@xxxxxxxxxxx> > Signed-off-by: Nilesh Javali <njavali@xxxxxxxxxxx> > --- > drivers/scsi/qla2xxx/qla_attr.c | 24 ++++++++++++++++++++++-- > 1 file changed, 22 insertions(+), 2 deletions(-) > > diff --git a/drivers/scsi/qla2xxx/qla_attr.c b/drivers/scsi/qla2xxx/qla_attr.c > index d09776b77af2..cb5f2ecb652d 100644 > --- a/drivers/scsi/qla2xxx/qla_attr.c > +++ b/drivers/scsi/qla2xxx/qla_attr.c > @@ -1868,6 +1868,18 @@ qla2x00_port_speed_store(struct device *dev, struct device_attribute *attr, > return strlen(buf); > } > > +static const struct { > + u16 rate; > + char *str; > +} port_speed_str[] = { > + { PORT_SPEED_4GB, "4" }, > + { PORT_SPEED_8GB, "8" }, > + { PORT_SPEED_16GB, "16" }, > + { PORT_SPEED_32GB, "32" }, > + { PORT_SPEED_64GB, "64" }, > + { PORT_SPEED_10GB, "10" }, > +}; > + > static ssize_t > qla2x00_port_speed_show(struct device *dev, struct device_attribute *attr, > char *buf) > @@ -1875,7 +1887,8 @@ qla2x00_port_speed_show(struct device *dev, struct device_attribute *attr, > struct scsi_qla_host *vha = shost_priv(dev_to_shost(dev)); > struct qla_hw_data *ha = vha->hw; > ssize_t rval; > - char *spd[7] = {"0", "0", "0", "4", "8", "16", "32"}; > + u16 i; > + char *speed = "Unknown"; > > rval = qla2x00_get_data_rate(vha); > if (rval != QLA_SUCCESS) { > @@ -1884,7 +1897,14 @@ qla2x00_port_speed_show(struct device *dev, struct device_attribute *attr, > return -EINVAL; > } > > - return scnprintf(buf, PAGE_SIZE, "%s\n", spd[ha->link_data_rate]); > + for (i = 0; i < ARRAY_SIZE(port_speed_str); i++) { > + if (port_speed_str[i].rate != ha->link_data_rate) > + continue; > + speed = port_speed_str[i].str; > + break; > + } > + > + return scnprintf(buf, PAGE_SIZE, "%s\n", speed); > } > > static ssize_t > -- > 2.19.0.rc0 > Reviewed-by: Himanshu Madhani <himanshu.madhani@xxxxxxxxxx> -- Himanshu Madhani Oracle Linux Engineering