[PATCH 3/8] zfcp: Bounds checking for deferred error trace

linux-scsi.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Steffen Maier <maier@linux.vnet.ibm.com>
To: James Bottomley <James.Bottomley@HansenPartnership.com>
Cc: linux-scsi@vger.kernel.org, linux-s390@vger.kernel.org,
	Martin Schwidefsky <schwidefsky@de.ibm.com>,
	Heiko Carstens <heiko.carstens@de.ibm.com>,
	Steffen Maier <maier@linux.vnet.ibm.com>,
	stable@vger.kernel.org
Subject: [PATCH 3/8] zfcp: Bounds checking for deferred error trace
Date: Tue, 04 Sep 2012 15:23:31 +0200	[thread overview]
Message-ID: <20120904132348.521443300@linux.vnet.ibm.com> (raw)
In-Reply-To: 20120904132328.564402930@linux.vnet.ibm.com

[-- Attachment #1: 707-zfcp-bounds-checking-for-deferred-error-trace.patch --]
[-- Type: text/plain, Size: 2474 bytes --]

From: Steffen Maier <maier@linux.vnet.ibm.com>

The pl vector has scount elements, i.e. pl[scount-1] is the last valid
element. For maximum sized requests, payload->counter == scount after
the last loop iteration. Therefore, do bounds checking first (with
boolean shortcut) to not access the invalid element pl[scount].

Do not trust the maximum sbale->scount value from the HBA
but ensure we won't access the pl vector out of our allocated bounds.
While at it, clean up scoping and prevent unnecessary memset.

Minor fix for 86a9668a8d29ea711613e1cb37efa68e7c4db564
"[SCSI] zfcp: support for hardware data router"

Signed-off-by: Steffen Maier <maier@linux.vnet.ibm.com>
Reviewed-by: Martin Peschke <mpeschke@linux.vnet.ibm.com>
Cc: <stable@vger.kernel.org> #3.2+
---
 drivers/s390/scsi/zfcp_dbf.c  |    2 +-
 drivers/s390/scsi/zfcp_qdio.c |   16 ++++++++++------
 2 files changed, 11 insertions(+), 7 deletions(-)

--- a/drivers/s390/scsi/zfcp_dbf.c
+++ b/drivers/s390/scsi/zfcp_dbf.c
@@ -191,7 +191,7 @@ void zfcp_dbf_hba_def_err(struct zfcp_ad
 	length = min((u16)sizeof(struct qdio_buffer),
 		     (u16)ZFCP_DBF_PAY_MAX_REC);
 
-	while ((char *)pl[payload->counter] && payload->counter < scount) {
+	while (payload->counter < scount && (char *)pl[payload->counter]) {
 		memcpy(payload->data, (char *)pl[payload->counter], length);
 		debug_event(dbf->pay, 1, payload, zfcp_dbf_plen(length));
 		payload->counter++;
--- a/drivers/s390/scsi/zfcp_qdio.c
+++ b/drivers/s390/scsi/zfcp_qdio.c
@@ -102,18 +102,22 @@ static void zfcp_qdio_int_resp(struct cc
 {
 	struct zfcp_qdio *qdio = (struct zfcp_qdio *) parm;
 	struct zfcp_adapter *adapter = qdio->adapter;
-	struct qdio_buffer_element *sbale;
 	int sbal_no, sbal_idx;
-	void *pl[ZFCP_QDIO_MAX_SBALS_PER_REQ + 1];
-	u64 req_id;
-	u8 scount;
 
 	if (unlikely(qdio_err)) {
-		memset(pl, 0, ZFCP_QDIO_MAX_SBALS_PER_REQ * sizeof(void *));
 		if (zfcp_adapter_multi_buffer_active(adapter)) {
+			void *pl[ZFCP_QDIO_MAX_SBALS_PER_REQ + 1];
+			struct qdio_buffer_element *sbale;
+			u64 req_id;
+			u8 scount;
+
+			memset(pl, 0,
+			       ZFCP_QDIO_MAX_SBALS_PER_REQ * sizeof(void *));
 			sbale = qdio->res_q[idx]->element;
 			req_id = (u64) sbale->addr;
-			scount = sbale->scount + 1; /* incl. signaling SBAL */
+			scount = min(sbale->scount + 1,
+				     ZFCP_QDIO_MAX_SBALS_PER_REQ + 1);
+				     /* incl. signaling SBAL */
 
 			for (sbal_no = 0; sbal_no < scount; sbal_no++) {
 				sbal_idx = (idx + sbal_no) %

next prev parent reply	other threads:[~2012-09-04 13:29 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-09-04 13:23 [PATCH 0/8] zfcp: patches for 3.6-rc Steffen Maier
2012-09-04 13:23 ` [PATCH 1/8] zfcp: Adapt to new FC_PORTSPEED semantics Steffen Maier
2012-09-04 13:23 ` [PATCH 2/8] zfcp: Make trace record tags unique Steffen Maier
2012-09-04 13:23 ` Steffen Maier [this message]
2012-09-04 13:23 ` [PATCH 4/8] zfcp: Do not wakeup while suspended Steffen Maier
2012-09-04 13:23 ` [PATCH 5/8] zfcp: remove invalid reference to list iterator variable Steffen Maier
2012-09-04 13:23 ` [PATCH 6/8] zfcp: restore refcount check on port_remove Steffen Maier
2012-09-04 13:23 ` [PATCH 7/8] zfcp: No automatic port_rescan on events Steffen Maier
2012-09-04 13:23 ` [PATCH 8/8] zfcp: only access zfcp_scsi_dev for valid scsi_device Steffen Maier

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20120904132348.521443300@linux.vnet.ibm.com \
    --to=maier@linux.vnet.ibm.com \
    --cc=James.Bottomley@HansenPartnership.com \
    --cc=heiko.carstens@de.ibm.com \
    --cc=linux-s390@vger.kernel.org \
    --cc=linux-scsi@vger.kernel.org \
    --cc=schwidefsky@de.ibm.com \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).