From b7ec021fe6fe979dbd4e62604a4942f964b12864 Mon Sep 17 00:00:00 2001 From: Scott Teel Date: Wed, 26 Oct 2011 16:21:12 -0500 Subject: [SCSI] hpsa: fix potential array overflow in hpsa_update_scsi_devices The currentsd[] array in hpsa_update_scsi_devices had room for 256 devices. The code was iterating over however many physical and logical devices plus an additional number of possible external MSA2XXX controllers, which together could potentially exceed 256. We increased the size of the currentsd array to 1024 + 1024 + 32 + 1 elements to reflect a reasonable maximum possible number of devices which might be encountered. We also don't just walk off the end of the array if the array controller reports more devices than we are prepared to handle, we just ignore the excessive devices. Signed-off-by: Scott Teel Signed-off-by: Stephen M. Cameron Signed-off-by: James Bottomley --- drivers/scsi/hpsa.c | 8 +++++++- drivers/scsi/hpsa.h | 1 - drivers/scsi/hpsa_cmd.h | 5 ++++- 3 files changed, 11 insertions(+), 3 deletions(-) diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c index f661ad1e500c..f3fd9f1711f7 100644 --- a/drivers/scsi/hpsa.c +++ b/drivers/scsi/hpsa.c @@ -1734,7 +1734,6 @@ static int add_msa2xxx_enclosure_device(struct ctlr_info *h, if (is_scsi_rev_5(h)) return 0; /* p1210m doesn't need to do this. */ -#define MAX_MSA2XXX_ENCLOSURES 32 if (*nmsa2xxx_enclosures >= MAX_MSA2XXX_ENCLOSURES) { dev_warn(&h->pdev->dev, "Maximum number of MSA2XXX " "enclosures exceeded. Check your hardware " @@ -1868,6 +1867,13 @@ static void hpsa_update_scsi_devices(struct ctlr_info *h, int hostno) /* Allocate the per device structures */ for (i = 0; i < ndevs_to_allocate; i++) { + if (i >= HPSA_MAX_DEVICES) { + dev_warn(&h->pdev->dev, "maximum devices (%d) exceeded." + " %d devices ignored.\n", HPSA_MAX_DEVICES, + ndevs_to_allocate - HPSA_MAX_DEVICES); + break; + } + currentsd[i] = kzalloc(sizeof(*currentsd[i]), GFP_KERNEL); if (!currentsd[i]) { dev_warn(&h->pdev->dev, "out of memory at %s:%d\n", diff --git a/drivers/scsi/hpsa.h b/drivers/scsi/hpsa.h index 4de9f71d8bff..73858bc22e57 100644 --- a/drivers/scsi/hpsa.h +++ b/drivers/scsi/hpsa.h @@ -102,7 +102,6 @@ struct ctlr_info { struct Scsi_Host *scsi_host; spinlock_t devlock; /* to protect hba[ctlr]->dev[]; */ int ndevices; /* number of used elements in .dev[] array. */ -#define HPSA_MAX_DEVICES 256 struct hpsa_scsi_dev_t *dev[HPSA_MAX_DEVICES]; /* * Performant mode tables. diff --git a/drivers/scsi/hpsa_cmd.h b/drivers/scsi/hpsa_cmd.h index 55d741b019db..3fd4715935c2 100644 --- a/drivers/scsi/hpsa_cmd.h +++ b/drivers/scsi/hpsa_cmd.h @@ -123,8 +123,11 @@ union u64bit { /* FIXME this is a per controller value (barf!) */ #define HPSA_MAX_TARGETS_PER_CTLR 16 -#define HPSA_MAX_LUN 256 +#define HPSA_MAX_LUN 1024 #define HPSA_MAX_PHYS_LUN 1024 +#define MAX_MSA2XXX_ENCLOSURES 32 +#define HPSA_MAX_DEVICES (HPSA_MAX_PHYS_LUN + HPSA_MAX_LUN + \ + MAX_MSA2XXX_ENCLOSURES + 1) /* + 1 is for the controller itself */ /* SCSI-3 Commands */ #pragma pack(1) -- cgit v1.2.3