提交 298c794d 编写于 作者: N nagalakshmi.nandigama@lsi.com 提交者: James Bottomley

[SCSI] mpt2sas: Fix security scan issues reported by source code analysis tool

Modified the source code as per the findings reported by the source
code analysis tool. Source code for the following functionalities
has been touched. None of the driver functionalities has changed.

- SMP Passthrough IOCTL
- Debug messages for MPT Replies (i.e. bit 9 of Logging Level)
- Task Management using sysfs
- Device removal, i.e. when a target device (including any PD within a volume)
  is removed, and Volume Deletion.
- Trace Buffer
Signed-off-by: NNagalakshmi Nandigama <nagalakshmi.nandigama@lsi.com>
Signed-off-by: NJames Bottomley <JBottomley@Parallels.com>
上级 09da0b32
...@@ -699,6 +699,11 @@ _base_display_reply_info(struct MPT2SAS_ADAPTER *ioc, u16 smid, u8 msix_index, ...@@ -699,6 +699,11 @@ _base_display_reply_info(struct MPT2SAS_ADAPTER *ioc, u16 smid, u8 msix_index,
u16 ioc_status; u16 ioc_status;
mpi_reply = mpt2sas_base_get_reply_virt_addr(ioc, reply); mpi_reply = mpt2sas_base_get_reply_virt_addr(ioc, reply);
if (unlikely(!mpi_reply)) {
printk(MPT2SAS_ERR_FMT "mpi_reply not valid at %s:%d/%s()!\n",
ioc->name, __FILE__, __LINE__, __func__);
return;
}
ioc_status = le16_to_cpu(mpi_reply->IOCStatus); ioc_status = le16_to_cpu(mpi_reply->IOCStatus);
#ifdef CONFIG_SCSI_MPT2SAS_LOGGING #ifdef CONFIG_SCSI_MPT2SAS_LOGGING
if ((ioc_status & MPI2_IOCSTATUS_MASK) && if ((ioc_status & MPI2_IOCSTATUS_MASK) &&
...@@ -930,16 +935,18 @@ _base_interrupt(int irq, void *bus_id) ...@@ -930,16 +935,18 @@ _base_interrupt(int irq, void *bus_id)
else if (request_desript_type == else if (request_desript_type ==
MPI2_RPY_DESCRIPT_FLAGS_TARGETASSIST_SUCCESS) MPI2_RPY_DESCRIPT_FLAGS_TARGETASSIST_SUCCESS)
goto next; goto next;
if (smid) if (smid) {
cb_idx = _base_get_cb_idx(ioc, smid); cb_idx = _base_get_cb_idx(ioc, smid);
if (smid && cb_idx != 0xFF) { if ((likely(cb_idx < MPT_MAX_CALLBACKS))
rc = mpt_callbacks[cb_idx](ioc, smid, msix_index, && (likely(mpt_callbacks[cb_idx] != NULL))) {
reply); rc = mpt_callbacks[cb_idx](ioc, smid,
msix_index, reply);
if (reply) if (reply)
_base_display_reply_info(ioc, smid, msix_index, _base_display_reply_info(ioc, smid,
reply); msix_index, reply);
if (rc) if (rc)
mpt2sas_base_free_smid(ioc, smid); mpt2sas_base_free_smid(ioc, smid);
}
} }
if (!smid) if (!smid)
_base_async_event(ioc, msix_index, reply); _base_async_event(ioc, msix_index, reply);
......
...@@ -865,8 +865,16 @@ _ctl_do_mpt_command(struct MPT2SAS_ADAPTER *ioc, struct mpt2_ioctl_command karg, ...@@ -865,8 +865,16 @@ _ctl_do_mpt_command(struct MPT2SAS_ADAPTER *ioc, struct mpt2_ioctl_command karg,
if (smp_request->PassthroughFlags & if (smp_request->PassthroughFlags &
MPI2_SMP_PT_REQ_PT_FLAGS_IMMEDIATE) MPI2_SMP_PT_REQ_PT_FLAGS_IMMEDIATE)
data = (u8 *)&smp_request->SGL; data = (u8 *)&smp_request->SGL;
else else {
if (unlikely(data_out == NULL)) {
printk(KERN_ERR "failure at %s:%d/%s()!\n",
__FILE__, __LINE__, __func__);
mpt2sas_base_free_smid(ioc, smid);
ret = -EINVAL;
goto out;
}
data = data_out; data = data_out;
}
if (data[1] == 0x91 && (data[10] == 1 || data[10] == 2)) { if (data[1] == 0x91 && (data[10] == 1 || data[10] == 2)) {
ioc->ioc_link_reset_in_progress = 1; ioc->ioc_link_reset_in_progress = 1;
...@@ -2832,7 +2840,7 @@ _ctl_host_trace_buffer_enable_store(struct device *cdev, ...@@ -2832,7 +2840,7 @@ _ctl_host_trace_buffer_enable_store(struct device *cdev,
struct mpt2_diag_register diag_register; struct mpt2_diag_register diag_register;
u8 issue_reset = 0; u8 issue_reset = 0;
if (sscanf(buf, "%s", str) != 1) if (sscanf(buf, "%9s", str) != 1)
return -EINVAL; return -EINVAL;
if (!strcmp(str, "post")) { if (!strcmp(str, "post")) {
......
...@@ -3186,16 +3186,19 @@ static u8 ...@@ -3186,16 +3186,19 @@ static u8
_scsih_sas_control_complete(struct MPT2SAS_ADAPTER *ioc, u16 smid, _scsih_sas_control_complete(struct MPT2SAS_ADAPTER *ioc, u16 smid,
u8 msix_index, u32 reply) u8 msix_index, u32 reply)
{ {
#ifdef CONFIG_SCSI_MPT2SAS_LOGGING
Mpi2SasIoUnitControlReply_t *mpi_reply = Mpi2SasIoUnitControlReply_t *mpi_reply =
mpt2sas_base_get_reply_virt_addr(ioc, reply); mpt2sas_base_get_reply_virt_addr(ioc, reply);
#endif if (likely(mpi_reply)) {
dewtprintk(ioc, printk(MPT2SAS_INFO_FMT dewtprintk(ioc, printk(MPT2SAS_INFO_FMT
"sc_complete:handle(0x%04x), (open) " "sc_complete:handle(0x%04x), (open) "
"smid(%d), ioc_status(0x%04x), loginfo(0x%08x)\n", "smid(%d), ioc_status(0x%04x), loginfo(0x%08x)\n",
ioc->name, le16_to_cpu(mpi_reply->DevHandle), smid, ioc->name, le16_to_cpu(mpi_reply->DevHandle), smid,
le16_to_cpu(mpi_reply->IOCStatus), le16_to_cpu(mpi_reply->IOCStatus),
le32_to_cpu(mpi_reply->IOCLogInfo))); le32_to_cpu(mpi_reply->IOCLogInfo)));
} else {
printk(MPT2SAS_ERR_FMT "mpi_reply not valid at %s:%d/%s()!\n",
ioc->name, __FILE__, __LINE__, __func__);
}
return 1; return 1;
} }
...@@ -3274,7 +3277,11 @@ _scsih_tm_volume_tr_complete(struct MPT2SAS_ADAPTER *ioc, u16 smid, ...@@ -3274,7 +3277,11 @@ _scsih_tm_volume_tr_complete(struct MPT2SAS_ADAPTER *ioc, u16 smid,
"progress!\n", __func__, ioc->name)); "progress!\n", __func__, ioc->name));
return 1; return 1;
} }
if (unlikely(!mpi_reply)) {
printk(MPT2SAS_ERR_FMT "mpi_reply not valid at %s:%d/%s()!\n",
ioc->name, __FILE__, __LINE__, __func__);
return 1;
}
mpi_request_tm = mpt2sas_base_get_msg_frame(ioc, smid); mpi_request_tm = mpt2sas_base_get_msg_frame(ioc, smid);
handle = le16_to_cpu(mpi_request_tm->DevHandle); handle = le16_to_cpu(mpi_request_tm->DevHandle);
if (handle != le16_to_cpu(mpi_reply->DevHandle)) { if (handle != le16_to_cpu(mpi_reply->DevHandle)) {
...@@ -3337,7 +3344,11 @@ _scsih_tm_tr_complete(struct MPT2SAS_ADAPTER *ioc, u16 smid, u8 msix_index, ...@@ -3337,7 +3344,11 @@ _scsih_tm_tr_complete(struct MPT2SAS_ADAPTER *ioc, u16 smid, u8 msix_index,
"operational\n", __func__, ioc->name)); "operational\n", __func__, ioc->name));
return 1; return 1;
} }
if (unlikely(!mpi_reply)) {
printk(MPT2SAS_ERR_FMT "mpi_reply not valid at %s:%d/%s()!\n",
ioc->name, __FILE__, __LINE__, __func__);
return 1;
}
mpi_request_tm = mpt2sas_base_get_msg_frame(ioc, smid); mpi_request_tm = mpt2sas_base_get_msg_frame(ioc, smid);
handle = le16_to_cpu(mpi_request_tm->DevHandle); handle = le16_to_cpu(mpi_request_tm->DevHandle);
if (handle != le16_to_cpu(mpi_reply->DevHandle)) { if (handle != le16_to_cpu(mpi_reply->DevHandle)) {
...@@ -7353,6 +7364,13 @@ mpt2sas_scsih_event_callback(struct MPT2SAS_ADAPTER *ioc, u8 msix_index, ...@@ -7353,6 +7364,13 @@ mpt2sas_scsih_event_callback(struct MPT2SAS_ADAPTER *ioc, u8 msix_index,
return 1; return 1;
mpi_reply = mpt2sas_base_get_reply_virt_addr(ioc, reply); mpi_reply = mpt2sas_base_get_reply_virt_addr(ioc, reply);
if (unlikely(!mpi_reply)) {
printk(MPT2SAS_ERR_FMT "mpi_reply not valid at %s:%d/%s()!\n",
ioc->name, __FILE__, __LINE__, __func__);
return 1;
}
event = le16_to_cpu(mpi_reply->Event); event = le16_to_cpu(mpi_reply->Event);
switch (event) { switch (event) {
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册