From patchwork Thu Jun 25 13:44:34 2015
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Brian King <brking@linux.vnet.ibm.com>
X-Patchwork-Id: 6675241
Return-Path: <linux-scsi-owner@kernel.org>
X-Original-To: patchwork-linux-scsi@patchwork.kernel.org
Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org
Received: from mail.kernel.org (mail.kernel.org [198.145.29.136])
	by patchwork1.web.kernel.org (Postfix) with ESMTP id 150219F380
	for <patchwork-linux-scsi@patchwork.kernel.org>;
	Thu, 25 Jun 2015 13:44:44 +0000 (UTC)
Received: from mail.kernel.org (localhost [127.0.0.1])
	by mail.kernel.org (Postfix) with ESMTP id 46D57206EC
	for <patchwork-linux-scsi@patchwork.kernel.org>;
	Thu, 25 Jun 2015 13:44:43 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.kernel.org (Postfix) with ESMTP id 4ABC0206E8
	for <patchwork-linux-scsi@patchwork.kernel.org>;
	Thu, 25 Jun 2015 13:44:42 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1751337AbbFYNol (ORCPT
	<rfc822;patchwork-linux-scsi@patchwork.kernel.org>);
	Thu, 25 Jun 2015 09:44:41 -0400
Received: from e33.co.us.ibm.com ([32.97.110.151]:56644 "EHLO
	e33.co.us.ibm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1750983AbbFYNok (ORCPT
	<rfc822; linux-scsi@vger.kernel.org>); Thu, 25 Jun 2015 09:44:40 -0400
Received: from /spool/local
	by e33.co.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use
	Only! Violators will be prosecuted
	for <linux-scsi@vger.kernel.org> from <brking@linux.vnet.ibm.com>;
	Thu, 25 Jun 2015 07:44:39 -0600
Received: from d03dlp01.boulder.ibm.com (9.17.202.177)
	by e33.co.us.ibm.com (192.168.1.133) with IBM ESMTP SMTP Gateway:
	Authorized Use Only! Violators will be prosecuted;
	Thu, 25 Jun 2015 07:44:37 -0600
X-Helo: d03dlp01.boulder.ibm.com
X-MailFrom: brking@linux.vnet.ibm.com
X-RcptTo: stable@vger.kernel.org
Received: from b03cxnp08026.gho.boulder.ibm.com
	(b03cxnp08026.gho.boulder.ibm.com [9.17.130.18])
	by d03dlp01.boulder.ibm.com (Postfix) with ESMTP id DA0751FF004A;
	Thu, 25 Jun 2015 07:35:46 -0600 (MDT)
Received: from d03av03.boulder.ibm.com (d03av03.boulder.ibm.com
	[9.17.195.169])
	by b03cxnp08026.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with
	ESMTP id t5PDiEQt45875246; Thu, 25 Jun 2015 06:44:14 -0700
Received: from d03av03.boulder.ibm.com (localhost [127.0.0.1])
	by d03av03.boulder.ibm.com (8.14.4/8.14.4/NCO v10.0 AVout) with ESMTP
	id t5PDiakn026039; Thu, 25 Jun 2015 07:44:37 -0600
Received: from localhost.localdomain (sig-9-48-103-32.ibm.com [9.48.103.32])
	by d03av03.boulder.ibm.com (8.14.4/8.14.4/NCO v10.0 AVin) with
	ESMTP id t5PDiZLv025988; Thu, 25 Jun 2015 07:44:35 -0600
Message-Id: <201506251344.t5PDiZLv025988@d03av03.boulder.ibm.com>
Subject: [PATCH 1/1] ipr: Fix invalid array indexing for HRRQ
To: James.Bottomley@HansenPartnership.com
Cc: linux-scsi@vger.kernel.org, wenxiong@linux.vnet.ibm.com,
	krisman@linux.vnet.ibm.com, brking@linux.vnet.ibm.com,
	stable@vger.kernel.org
From: Brian King <brking@linux.vnet.ibm.com>
Date: Thu, 25 Jun 2015 08:44:34 -0500
X-TM-AS-MML: disable
X-Content-Scanned: Fidelis XPS MAILER
x-cbid: 15062513-0009-0000-0000-00000C0044C0
Sender: linux-scsi-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-scsi.vger.kernel.org>
X-Mailing-List: linux-scsi@vger.kernel.org
X-Spam-Status: No, score=-8.3 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_HI,
	RP_MATCHES_RCVD,
	UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

James,

Here is one more fix for a rather nasty bug where the ipr driver can start
accessing memory it doesn't own. I'd like to add to the queue
of ipr patches. There are now two patches on top of the previously submitted
series of four. If you want me to resend everything as a complete
series, please let me know.

Thanks,

Brian

8<

Fixes another signed / unsigned array indexing bug in the ipr driver.

Signed-off-by: Brian King <brking@linux.vnet.ibm.com>
Tested-by: Wen Xiong <wenxiong@linux.vnet.ibm.com>
Cc: <stable@vger.kernel.org>
---

 drivers/scsi/ipr.c |   11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff -puN drivers/scsi/ipr.c~ipr_hrrq_index_fix drivers/scsi/ipr.c
--- linux/drivers/scsi/ipr.c~ipr_hrrq_index_fix	2015-06-23 11:43:18.151741523 -0500
+++ linux-bjking1/drivers/scsi/ipr.c	2015-06-23 11:43:18.157741435 -0500
@@ -1052,10 +1052,15 @@ static void ipr_send_blocking_cmd(struct
 
 static int ipr_get_hrrq_index(struct ipr_ioa_cfg *ioa_cfg)
 {
+	unsigned int hrrq;
+
 	if (ioa_cfg->hrrq_num == 1)
-		return 0;
-	else
-		return (atomic_add_return(1, &ioa_cfg->hrrq_index) % (ioa_cfg->hrrq_num - 1)) + 1;
+		hrrq = 0;
+	else {
+		hrrq = atomic_add_return(1, &ioa_cfg->hrrq_index);
+		hrrq = ((hrrq + 1) % (ioa_cfg->hrrq_num - 1)) + 1;
+	}
+	return hrrq;
 }
 
 /**