Bug 37692 - qla2x00 driver doesn't scale
qla2x00 driver doesn't scale
Status: CLOSED CURRENTRELEASE
Product: Red Hat Linux
Classification: Retired
Component: kernel (Show other bugs)
7.1
i386 Linux
medium Severity high
: ---
: ---
Assigned To: Arjan van de Ven
Brock Organ
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2001-04-25 17:04 EDT by Eric Delaney
Modified: 2007-04-18 12:32 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2003-06-06 07:48:40 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Eric Delaney 2001-04-25 17:04:24 EDT
From Bugzilla Helper:
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)


qla2x00 driver will overflow its buffer qla2100_buffer when enough disks 
are attached.

Reproducible: Always
Steps to Reproduce:
1. install a qla2x00 based card with a bunch of disks on the fabric.
2.
3.
	

Actual Results:  Driver can corrupt random memory next to its buffers.

Expected Results:  That the driver does not corrupt random memory next to 
its pages.

In function qla2100_proc_info in qla2x00.c, we check and will reallocate 
the buffer qla2100_buffer if its not the fixed size 4096.  

This size is way, way to small to begin with and it shouldn't be fixed. I 
overflowed the buffer at 120 connected disks and I'm currently over 
flowing it at 70 disks as well.  I'd guess that this size will allow about 
40 disks before you start writing on another random buffer next to the 
allocated one in the kernel.

mojo /proc/scsi/qla2x00 19 wc 0
    162     955    7170 0

It should really be dynamic and while your at it, it should be checking 
the size of what being added to the buffer before adding it to the buffer.

#define PROC_BUF        (&qla2100_buffer[len])
    len += size;
    size = sprintf(PROC_BUF, "Number of pending commands = 0x%lx\n", ha-
>actthre
ads);

I couldn't bring myself to look at the rest of the code.

Note You need to log in before you can comment on or make changes to this bug.