Bug 37692
| Summary: | qla2x00 driver doesn't scale | ||
|---|---|---|---|
| Product: | [Retired] Red Hat Linux | Reporter: | Eric Delaney <eld> |
| Component: | kernel | Assignee: | Arjan van de Ven <arjanv> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Brock Organ <borgan> |
| Severity: | high | Docs Contact: | |
| Priority: | medium | ||
| Version: | 7.1 | ||
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | i386 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2003-06-06 11:48:40 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
From Bugzilla Helper: User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows 98) qla2x00 driver will overflow its buffer qla2100_buffer when enough disks are attached. Reproducible: Always Steps to Reproduce: 1. install a qla2x00 based card with a bunch of disks on the fabric. 2. 3. Actual Results: Driver can corrupt random memory next to its buffers. Expected Results: That the driver does not corrupt random memory next to its pages. In function qla2100_proc_info in qla2x00.c, we check and will reallocate the buffer qla2100_buffer if its not the fixed size 4096. This size is way, way to small to begin with and it shouldn't be fixed. I overflowed the buffer at 120 connected disks and I'm currently over flowing it at 70 disks as well. I'd guess that this size will allow about 40 disks before you start writing on another random buffer next to the allocated one in the kernel. mojo /proc/scsi/qla2x00 19 wc 0 162 955 7170 0 It should really be dynamic and while your at it, it should be checking the size of what being added to the buffer before adding it to the buffer. #define PROC_BUF (&qla2100_buffer[len]) len += size; size = sprintf(PROC_BUF, "Number of pending commands = 0x%lx\n", ha- >actthre ads); I couldn't bring myself to look at the rest of the code.