From a0a74e45057cc3138c29173e7b0b3db8b30939ae Mon Sep 17 00:00:00 2001 From: Jesper Juhl Date: Thu, 9 Aug 2007 20:47:15 +0200 Subject: [SCSI] lpfc: fix potential overflow of hbqs array The Coverity checker noticed that we may overrun a statically allocated array in drivers/scsi/lpfc/lpfc_sli.c::lpfc_sli_hbqbuf_find(). The case is this; In 'struct lpfc_hba' we have #define LPFC_MAX_HBQS 4 ... struct lpfc_hba { ... struct hbq_s hbqs[LPFC_MAX_HBQS]; ... }; But then in lpfc_sli_hbqbuf_find() we have this code hbqno = tag >> 16; if (hbqno > LPFC_MAX_HBQS) return NULL; if 'hbqno' ends up as exactely 4, then we won't return, and then this list_for_each_entry(d_buf, &phba->hbqs[hbqno].hbq_buffer_list, list) { will cause an overflow of the statically allocated array at index 4, since the valid indices are only 0-3. I propose this patch, that simply changes the 'hbqno > LPFC_MAX_HBQS' into 'hbqno >= LPFC_MAX_HBQS' as a possible fix. Signed-off-by: Jesper Juhl Acked-by: James Smart Signed-off-by: James Bottomley --- drivers/scsi/lpfc/lpfc_sli.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'drivers/scsi/lpfc') diff --git a/drivers/scsi/lpfc/lpfc_sli.c b/drivers/scsi/lpfc/lpfc_sli.c index ce5ff2bccba..e5337ad4121 100644 --- a/drivers/scsi/lpfc/lpfc_sli.c +++ b/drivers/scsi/lpfc/lpfc_sli.c @@ -675,7 +675,7 @@ lpfc_sli_hbqbuf_find(struct lpfc_hba *phba, uint32_t tag) uint32_t hbqno; hbqno = tag >> 16; - if (hbqno > LPFC_MAX_HBQS) + if (hbqno >= LPFC_MAX_HBQS) return NULL; list_for_each_entry(d_buf, &phba->hbqs[hbqno].hbq_buffer_list, list) { -- cgit v1.2.3 From ffcde188a82497385139c62c6b6362aa4f29406f Mon Sep 17 00:00:00 2001 From: Jesper Juhl Date: Fri, 10 Aug 2007 14:50:38 -0700 Subject: [SCSI] NCR_D700, lpfc: Clean up duplicate includes Signed-off-by: Jesper Juhl Acked-by: James Smart Signed-off-by: Andrew Morton Signed-off-by: James Bottomley --- drivers/scsi/lpfc/lpfc_debugfs.c | 1 - drivers/scsi/lpfc/lpfc_init.c | 1 - 2 files changed, 2 deletions(-) (limited to 'drivers/scsi/lpfc') diff --git a/drivers/scsi/lpfc/lpfc_debugfs.c b/drivers/scsi/lpfc/lpfc_debugfs.c index 2e3c01bebed..dcf808be0fb 100644 --- a/drivers/scsi/lpfc/lpfc_debugfs.c +++ b/drivers/scsi/lpfc/lpfc_debugfs.c @@ -43,7 +43,6 @@ #include "lpfc_crtn.h" #include "lpfc_vport.h" #include "lpfc_version.h" -#include "lpfc_vport.h" #include "lpfc_debugfs.h" #ifdef CONFIG_LPFC_DEBUG_FS diff --git a/drivers/scsi/lpfc/lpfc_init.c b/drivers/scsi/lpfc/lpfc_init.c index 414350ab584..42e20612df8 100644 --- a/drivers/scsi/lpfc/lpfc_init.c +++ b/drivers/scsi/lpfc/lpfc_init.c @@ -43,7 +43,6 @@ #include "lpfc_crtn.h" #include "lpfc_vport.h" #include "lpfc_version.h" -#include "lpfc_vport.h" static int lpfc_parse_vpd(struct lpfc_hba *, uint8_t *, int); static void lpfc_get_hba_model_desc(struct lpfc_hba *, uint8_t *, uint8_t *); -- cgit v1.2.3 From bbfbbbc1182f8b44c8cc4c99f4a3f3a512149022 Mon Sep 17 00:00:00 2001 From: Mariusz Kozlowski Date: Sat, 11 Aug 2007 10:13:24 +0200 Subject: [SCSI] kmalloc + memset conversion to kzalloc In NCR_D700, a4000t, aic7xxx_old, bvme6000, dpt_i2o, gdth, lpfc, megaraid, mvme16x osst, pluto, qla2xxx, zorro7xx Signed-off-by: Mariusz Kozlowski Signed-off-by: James Bottomley --- drivers/scsi/lpfc/lpfc_debugfs.c | 4 +--- drivers/scsi/lpfc/lpfc_init.c | 3 +-- drivers/scsi/lpfc/lpfc_scsi.c | 3 +-- 3 files changed, 3 insertions(+), 7 deletions(-) (limited to 'drivers/scsi/lpfc') diff --git a/drivers/scsi/lpfc/lpfc_debugfs.c b/drivers/scsi/lpfc/lpfc_debugfs.c index dcf808be0fb..149fdd25f8e 100644 --- a/drivers/scsi/lpfc/lpfc_debugfs.c +++ b/drivers/scsi/lpfc/lpfc_debugfs.c @@ -901,7 +901,7 @@ lpfc_debugfs_initialize(struct lpfc_vport *vport) } } - vport->disc_trc = kmalloc( + vport->disc_trc = kmzlloc( (sizeof(struct lpfc_debugfs_trc) * lpfc_debugfs_max_disc_trc), GFP_KERNEL); @@ -912,8 +912,6 @@ lpfc_debugfs_initialize(struct lpfc_vport *vport) goto debug_failed; } atomic_set(&vport->disc_trc_cnt, 0); - memset(vport->disc_trc, 0, - (sizeof(struct lpfc_debugfs_trc) * lpfc_debugfs_max_disc_trc)); snprintf(name, sizeof(name), "discovery_trace"); vport->debug_disc_trc = diff --git a/drivers/scsi/lpfc/lpfc_init.c b/drivers/scsi/lpfc/lpfc_init.c index 42e20612df8..ecebdfa0047 100644 --- a/drivers/scsi/lpfc/lpfc_init.c +++ b/drivers/scsi/lpfc/lpfc_init.c @@ -1265,11 +1265,10 @@ lpfc_hba_init(struct lpfc_hba *phba, uint32_t *hbainit) uint32_t *HashWorking; uint32_t *pwwnn = (uint32_t *) phba->wwnn; - HashWorking = kmalloc(80 * sizeof(uint32_t), GFP_KERNEL); + HashWorking = kcalloc(80, sizeof(uint32_t), GFP_KERNEL); if (!HashWorking) return; - memset(HashWorking, 0, (80 * sizeof(uint32_t))); HashWorking[0] = HashWorking[78] = *pwwnn++; HashWorking[1] = HashWorking[79] = *pwwnn; diff --git a/drivers/scsi/lpfc/lpfc_scsi.c b/drivers/scsi/lpfc/lpfc_scsi.c index 17d7dc05149..cd674938ccd 100644 --- a/drivers/scsi/lpfc/lpfc_scsi.c +++ b/drivers/scsi/lpfc/lpfc_scsi.c @@ -202,10 +202,9 @@ lpfc_new_scsi_buf(struct lpfc_vport *vport) dma_addr_t pdma_phys; uint16_t iotag; - psb = kmalloc(sizeof(struct lpfc_scsi_buf), GFP_KERNEL); + psb = kzalloc(sizeof(struct lpfc_scsi_buf), GFP_KERNEL); if (!psb) return NULL; - memset(psb, 0, sizeof (struct lpfc_scsi_buf)); /* * Get memory from the pci pool to map the virt space to pci bus space -- cgit v1.2.3