[SCSI] zfcp: Bounds checking for deferred error trace

The pl vector has scount elements, i.e. pl[scount-1] is the last valid
element. For maximum sized requests, payload->counter == scount after
the last loop iteration. Therefore, do bounds checking first (with
boolean shortcut) to not access the invalid element pl[scount].

Do not trust the maximum sbale->scount value from the HBA
but ensure we won't access the pl vector out of our allocated bounds.
While at it, clean up scoping and prevent unnecessary memset.

Minor fix for 86a9668a8d29ea711613e1cb37efa68e7c4db564
"[SCSI] zfcp: support for hardware data router"

Signed-off-by: Steffen Maier <maier@linux.vnet.ibm.com>
Reviewed-by: Martin Peschke <mpeschke@linux.vnet.ibm.com>
Cc: <stable@vger.kernel.org> #3.2+
Signed-off-by: James Bottomley <JBottomley@Parallels.com>

diff --git a/drivers/s390/scsi/zfcp_dbf.c b/drivers/s390/scsi/zfcp_dbf.c
index 3c1d22097ad0b66296e730463b01a19775a18977..c6e47d553ad907844ac38e257fe34024ef9f3932 100644 (file)
--- a/drivers/s390/scsi/zfcp_dbf.c
+++ b/drivers/s390/scsi/zfcp_dbf.c
@@ -191,7 +191,7 @@ void zfcp_dbf_hba_def_err(struct zfcp_adapter *adapter, u64 req_id, u16 scount,
        length = min((u16)sizeof(struct qdio_buffer),
                     (u16)ZFCP_DBF_PAY_MAX_REC);
 
-       while ((char *)pl[payload->counter] && payload->counter < scount) {
+       while (payload->counter < scount && (char *)pl[payload->counter]) {
                memcpy(payload->data, (char *)pl[payload->counter], length);
                debug_event(dbf->pay, 1, payload, zfcp_dbf_plen(length));
                payload->counter++;

diff --git a/drivers/s390/scsi/zfcp_qdio.c b/drivers/s390/scsi/zfcp_qdio.c
index b9fffc8d94a76daaf6b7faadbcd85194cb555094..50b5615848f6edaf63ca75d2021fe102eae5a6d7 100644 (file)
--- a/drivers/s390/scsi/zfcp_qdio.c
+++ b/drivers/s390/scsi/zfcp_qdio.c
@@ -102,18 +102,22 @@ static void zfcp_qdio_int_resp(struct ccw_device *cdev, unsigned int qdio_err,
 {
        struct zfcp_qdio *qdio = (struct zfcp_qdio *) parm;
        struct zfcp_adapter *adapter = qdio->adapter;
-       struct qdio_buffer_element *sbale;
        int sbal_no, sbal_idx;
-       void *pl[ZFCP_QDIO_MAX_SBALS_PER_REQ + 1];
-       u64 req_id;
-       u8 scount;
 
        if (unlikely(qdio_err)) {
-               memset(pl, 0, ZFCP_QDIO_MAX_SBALS_PER_REQ * sizeof(void *));
                if (zfcp_adapter_multi_buffer_active(adapter)) {
+                       void *pl[ZFCP_QDIO_MAX_SBALS_PER_REQ + 1];
+                       struct qdio_buffer_element *sbale;
+                       u64 req_id;
+                       u8 scount;
+
+                       memset(pl, 0,
+                              ZFCP_QDIO_MAX_SBALS_PER_REQ * sizeof(void *));
                        sbale = qdio->res_q[idx]->element;
                        req_id = (u64) sbale->addr;
-                       scount = sbale->scount + 1; /* incl. signaling SBAL */
+                       scount = min(sbale->scount + 1,
+                                    ZFCP_QDIO_MAX_SBALS_PER_REQ + 1);
+                                    /* incl. signaling SBAL */
 
                        for (sbal_no = 0; sbal_no < scount; sbal_no++) {
                                sbal_idx = (idx + sbal_no) %