[RESEND] cxlflash: a couple off by one bugs

Message ID	1449098788-21695-1-git-send-email-mrochs@linux.vnet.ibm.com (mailing list archive)
State	New, archived
Headers	show Return-Path: <linux-scsi-owner@kernel.org> Gateway: Authorized Use Only! Violators will be prosecuted for <linux-scsi@vger.kernel.org> from <mrochs@linux.vnet.ibm.com>; Wed, 2 Dec 2015 16:26:56 -0700 Gateway: Authorized Use Only! Violators will be prosecuted; Wed, 2 Dec 2015 16:26:54 -0700 From: "Matthew R. Ochs" <mrochs@linux.vnet.ibm.com> To: James Bottomley <James.Bottomley@HansenPartnership.com> Cc: Dan Carpenter <dan.carpenter@oracle.com>, "Manoj N. Kumar" <manoj@linux.vnet.ibm.com>, Wen Xiong <wenxiong@linux.vnet.ibm.com>, Michael Neuling <mikey@neuling.org>, Uma Krishnan <ukrishn@linux.vnet.ibm.com>, linux-scsi@vger.kernel.org, kernel-janitors@vger.kernel.org Subject: [PATCH RESEND] cxlflash: a couple off by one bugs Date: Wed, 2 Dec 2015 17:26:28 -0600 Message-Id: <1449098788-21695-1-git-send-email-mrochs@linux.vnet.ibm.com> Sender: linux-scsi-owner@vger.kernel.org Precedence: bulk

Message ID

1449098788-21695-1-git-send-email-mrochs@linux.vnet.ibm.com (mailing list archive)

State

New, archived

Headers

From: "Matthew R. Ochs" <mrochs@linux.vnet.ibm.com>
To: James Bottomley <James.Bottomley@HansenPartnership.com>
Cc: Dan Carpenter <dan.carpenter@oracle.com>,
	"Manoj N. Kumar" <manoj@linux.vnet.ibm.com>,
	Wen Xiong <wenxiong@linux.vnet.ibm.com>,
	Michael Neuling <mikey@neuling.org>,
	Uma Krishnan <ukrishn@linux.vnet.ibm.com>,
	linux-scsi@vger.kernel.org, kernel-janitors@vger.kernel.org
Subject: [PATCH RESEND] cxlflash: a couple off by one bugs
Date: Wed,  2 Dec 2015 17:26:28 -0600
Message-Id: <1449098788-21695-1-git-send-email-mrochs@linux.vnet.ibm.com>
Sender: linux-scsi-owner@vger.kernel.org
Precedence: bulk

Commit Message

Matthew R. Ochs Dec. 2, 2015, 11:26 p.m. UTC

From: Dan Carpenter <dan.carpenter@oracle.com>

The "> MAX_CONTEXT" should be ">= MAX_CONTEXT".  Otherwise we go one
step beyond the end of the cfg->ctx_tbl[] array.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Manoj Kumar <manoj@linux.vnet.ibm.com>
Acked-by: Matthew R. Ochs <mrochs@linux.vnet.ibm.com>
Signed-off-by: Matthew R. Ochs <mrochs@linux.vnet.ibm.com>
---
This patch was originally sent by Dan Carpenter in September 2015. I had
based my large patch series that went into 4.4 off of it but this patch
appears to have not made it in. As a valid fix, I'd like to see this make
it into 'next'. I've gone ahead and performed the rebase so that it
applies cleanly.

 drivers/scsi/cxlflash/superpipe.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

Comments

Johannes Thumshirn Dec. 3, 2015, 9:18 a.m. UTC | #1

On Wed, 2015-12-02 at 17:26 -0600, Matthew R. Ochs wrote:
> From: Dan Carpenter <dan.carpenter@oracle.com>
> 
> The "> MAX_CONTEXT" should be ">= MAX_CONTEXT".  Otherwise we go one
> step beyond the end of the cfg->ctx_tbl[] array.
> 
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> Reviewed-by: Manoj Kumar <manoj@linux.vnet.ibm.com>
> Acked-by: Matthew R. Ochs <mrochs@linux.vnet.ibm.com>
> Signed-off-by: Matthew R. Ochs <mrochs@linux.vnet.ibm.com>
> ---
> This patch was originally sent by Dan Carpenter in September 2015. I had
> based my large patch series that went into 4.4 off of it but this patch
> appears to have not made it in. As a valid fix, I'd like to see this make
> it into 'next'. I've gone ahead and performed the rebase so that it
> applies cleanly.
> 
>  drivers/scsi/cxlflash/superpipe.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/scsi/cxlflash/superpipe.c
> b/drivers/scsi/cxlflash/superpipe.c
> index cac2e6a..34b21a0 100644
> --- a/drivers/scsi/cxlflash/superpipe.c
> +++ b/drivers/scsi/cxlflash/superpipe.c
> @@ -1380,7 +1380,7 @@ static int cxlflash_disk_attach(struct scsi_device
> *sdev,
>  	}
>  
>  	ctxid = cxl_process_element(ctx);
> -	if (unlikely((ctxid > MAX_CONTEXT) || (ctxid < 0))) {
> +	if (unlikely((ctxid >= MAX_CONTEXT) || (ctxid < 0))) {
>  		dev_err(dev, "%s: ctxid (%d) invalid!\n", __func__, ctxid);
>  		rc = -EPERM;
>  		goto err2;
> @@ -1508,7 +1508,7 @@ static int recover_context(struct cxlflash_cfg *cfg,
> struct ctx_info *ctxi)
>  	}
>  
>  	ctxid = cxl_process_element(ctx);
> -	if (unlikely((ctxid > MAX_CONTEXT) || (ctxid < 0))) {
> +	if (unlikely((ctxid >= MAX_CONTEXT) || (ctxid < 0))) {
>  		dev_err(dev, "%s: ctxid (%d) invalid!\n", __func__, ctxid);
>  		rc = -EPERM;
>  		goto err1;

Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
--
To unsubscribe from this list: send the line "unsubscribe linux-scsi" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Martin K. Petersen Dec. 10, 2015, 5:54 p.m. UTC | #2

>>>>> "Matthew" == Matthew R Ochs <mrochs@linux.vnet.ibm.com> writes:

Matthew> The "> MAX_CONTEXT" should be ">= MAX_CONTEXT".  Otherwise we
Matthew> go one step beyond the end of the cfg->ctx_tbl[] array.

Applied to 4.5/scsi-queue.

diff --git a/drivers/scsi/cxlflash/superpipe.c b/drivers/scsi/cxlflash/superpipe.c
index cac2e6a..34b21a0 100644
--- a/drivers/scsi/cxlflash/superpipe.c
+++ b/drivers/scsi/cxlflash/superpipe.c
@@ -1380,7 +1380,7 @@  static int cxlflash_disk_attach(struct scsi_device *sdev,
 	}
 
 	ctxid = cxl_process_element(ctx);
-	if (unlikely((ctxid > MAX_CONTEXT) || (ctxid < 0))) {
+	if (unlikely((ctxid >= MAX_CONTEXT) || (ctxid < 0))) {
 		dev_err(dev, "%s: ctxid (%d) invalid!\n", __func__, ctxid);
 		rc = -EPERM;
 		goto err2;
@@ -1508,7 +1508,7 @@  static int recover_context(struct cxlflash_cfg *cfg, struct ctx_info *ctxi)
 	}
 
 	ctxid = cxl_process_element(ctx);
-	if (unlikely((ctxid > MAX_CONTEXT) || (ctxid < 0))) {
+	if (unlikely((ctxid >= MAX_CONTEXT) || (ctxid < 0))) {
 		dev_err(dev, "%s: ctxid (%d) invalid!\n", __func__, ctxid);
 		rc = -EPERM;
 		goto err1;

[RESEND] cxlflash: a couple off by one bugs

Commit Message

Comments

Patch