summaryrefslogtreecommitdiff
path: root/drivers/s390/scsi/zfcp_dbf.c
diff options
context:
space:
mode:
authorSteffen Maier <maier@linux.vnet.ibm.com>2012-09-04 15:23:31 +0200
committerBen Hutchings <ben@decadent.org.uk>2012-10-17 03:48:45 +0100
commit64b0bb9b6ce5cfd183b3545e294eac630db52dc8 (patch)
tree73f6c0768a7281903770faa7b2e39f0a8d062809 /drivers/s390/scsi/zfcp_dbf.c
parent38256c96b86de6a47e45c9b729594a1093c86027 (diff)
downloadlwn-64b0bb9b6ce5cfd183b3545e294eac630db52dc8.tar.gz
lwn-64b0bb9b6ce5cfd183b3545e294eac630db52dc8.zip
zfcp: Bounds checking for deferred error trace
commit 01e60527f0a49b3d7df603010bd6079bb4b6cf07 upstream. The pl vector has scount elements, i.e. pl[scount-1] is the last valid element. For maximum sized requests, payload->counter == scount after the last loop iteration. Therefore, do bounds checking first (with boolean shortcut) to not access the invalid element pl[scount]. Do not trust the maximum sbale->scount value from the HBA but ensure we won't access the pl vector out of our allocated bounds. While at it, clean up scoping and prevent unnecessary memset. Minor fix for 86a9668a8d29ea711613e1cb37efa68e7c4db564 "[SCSI] zfcp: support for hardware data router" Signed-off-by: Steffen Maier <maier@linux.vnet.ibm.com> Reviewed-by: Martin Peschke <mpeschke@linux.vnet.ibm.com> Signed-off-by: James Bottomley <JBottomley@Parallels.com> Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Diffstat (limited to 'drivers/s390/scsi/zfcp_dbf.c')
-rw-r--r--drivers/s390/scsi/zfcp_dbf.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/s390/scsi/zfcp_dbf.c b/drivers/s390/scsi/zfcp_dbf.c
index a9a816e4aa55..bdca8e692902 100644
--- a/drivers/s390/scsi/zfcp_dbf.c
+++ b/drivers/s390/scsi/zfcp_dbf.c
@@ -191,7 +191,7 @@ void zfcp_dbf_hba_def_err(struct zfcp_adapter *adapter, u64 req_id, u16 scount,
length = min((u16)sizeof(struct qdio_buffer),
(u16)ZFCP_DBF_PAY_MAX_REC);
- while ((char *)pl[payload->counter] && payload->counter < scount) {
+ while (payload->counter < scount && (char *)pl[payload->counter]) {
memcpy(payload->data, (char *)pl[payload->counter], length);
debug_event(dbf->pay, 1, payload, zfcp_dbf_plen(length));
payload->counter++;