[SCSI] zfcp: Bounds checking for deferred error trace

The pl vector has scount elements, i.e. pl[scount-1] is the last valid element. For maximum sized requests, payload->counter == scount after the last loop iteration. Therefore, do bounds checking first (with boolean shortcut) to not access the invalid element pl[scount]. Do not trust the maximum sbale->scount value from the HBA but ensure we won't access the pl vector out of our allocated bounds. While at it, clean up scoping and prevent unnecessary memset. Minor fix for 86a9668a8d29ea711613e1cb37efa68e7c4db564 "[SCSI] zfcp: support for hardware data router" Signed-off-by: Steffen Maier <maier@linux.vnet.ibm.com> Reviewed-by: Martin Peschke <mpeschke@linux.vnet.ibm.com> Cc: <stable@vger.kernel.org> #3.2+ Signed-off-by: James Bottomley <JBottomley@Parallels.com>
author: Steffen Maier <maier@linux.vnet.ibm.com> 2012-09-04 09:23:31 -0400
committer: James Bottomley <JBottomley@Parallels.com> 2012-09-24 04:11:01 -0400
commit: 01e60527f0a49b3d7df603010bd6079bb4b6cf07 (patch)
tree: 5683b67c13a599c43d75f038a341f9dd79c49147 /drivers/s390/scsi
parent: 0100998dbfe6dfcd90a6e912ca7ed6f255d48f25 (diff)
2 files changed, 11 insertions, 7 deletions
diff --git a/drivers/s390/scsi/zfcp_dbf.c b/drivers/s390/scsi/zfcp_dbf.c
index 3c1d22097ad0..c6e47d553ad9 100644
--- a/drivers/s390/scsi/zfcp_dbf.c
+++ b/drivers/s390/scsi/zfcp_dbf.c
@@ -191,7 +191,7 @@ void zfcp_dbf_hba_def_err(struct zfcp_adapter *adapter, u64 req_id, u16 scount,
        length = min((u16)sizeof(struct qdio_buffer),
                     (u16)ZFCP_DBF_PAY_MAX_REC);
-        while ((char *)pl[payload->counter] && payload->counter < scount) {
+        while (payload->counter < scount && (char *)pl[payload->counter]) {
                memcpy(payload->data, (char *)pl[payload->counter], length);
                debug_event(dbf->pay, 1, payload, zfcp_dbf_plen(length));
                payload->counter++;
diff --git a/drivers/s390/scsi/zfcp_qdio.c b/drivers/s390/scsi/zfcp_qdio.c
index b9fffc8d94a7..50b5615848f6 100644
--- a/drivers/s390/scsi/zfcp_qdio.c
+++ b/drivers/s390/scsi/zfcp_qdio.c
@@ -102,18 +102,22 @@ static void zfcp_qdio_int_resp(struct ccw_device *cdev, unsigned int qdio_err,
 {
        struct zfcp_qdio *qdio = (struct zfcp_qdio *) parm;
        struct zfcp_adapter *adapter = qdio->adapter;
-        struct qdio_buffer_element *sbale;
        int sbal_no, sbal_idx;
-        void *pl[ZFCP_QDIO_MAX_SBALS_PER_REQ + 1];
-        u64 req_id;
-        u8 scount;
        if (unlikely(qdio_err)) {
-                memset(pl, 0, ZFCP_QDIO_MAX_SBALS_PER_REQ * sizeof(void *));
                if (zfcp_adapter_multi_buffer_active(adapter)) {
+                        void *pl[ZFCP_QDIO_MAX_SBALS_PER_REQ + 1];
+                        struct qdio_buffer_element *sbale;
+                        u64 req_id;
+                        u8 scount;
+                        memset(pl, 0,
+                               ZFCP_QDIO_MAX_SBALS_PER_REQ * sizeof(void *));
                        sbale = qdio->res_q[idx]->element;
                        req_id = (u64) sbale->addr;
-                        scount = sbale->scount + 1; /* incl. signaling SBAL */
+                        scount = min(sbale->scount + 1,
+                                     ZFCP_QDIO_MAX_SBALS_PER_REQ + 1);
+                                     /* incl. signaling SBAL */
                        for (sbal_no = 0; sbal_no < scount; sbal_no++) {
                                sbal_idx = (idx + sbal_no) %
author	Steffen Maier <maier@linux.vnet.ibm.com>	2012-09-04 09:23:31 -0400
committer	James Bottomley <JBottomley@Parallels.com>	2012-09-24 04:11:01 -0400
commit	01e60527f0a49b3d7df603010bd6079bb4b6cf07 (patch)
tree	5683b67c13a599c43d75f038a341f9dd79c49147 /drivers/s390/scsi
parent	0100998dbfe6dfcd90a6e912ca7ed6f255d48f25 (diff)