diff options
author | Jayamohan Kallickal <jayamohan.kallickal@emulex.com> | 2014-05-06 05:41:28 +0400 |
---|---|---|
committer | Christoph Hellwig <hch@lst.de> | 2014-05-28 20:13:16 +0400 |
commit | 8fc01eaa8793b7c2277b4a84c218a5f8fe45ccdd (patch) | |
tree | 5713c06f874403c0816b2c23e219cb60c3973668 /drivers | |
parent | b3c202dc57607174468b3ea6b4220b7ca5643f05 (diff) | |
download | linux-8fc01eaa8793b7c2277b4a84c218a5f8fe45ccdd.tar.xz |
be2iscsi: Fix memory corruption in MBX path
From: Dan Carpenter [mailto:dan.carpenter@oracle.com]
Sent: Friday, March 28, 2014 1:42 AM
Subject: re: [SCSI] be2iscsi: Fix handling timed out MBX completion from FW
Hello Jayamohan Kallickal,
The patch 1957aa7f6246: "[SCSI] be2iscsi: Fix handling timed out MBX completion from FW" from Jan 29, 2014, leads to the following static checker warning:
drivers/scsi/be2iscsi/be_main.c:5581 beiscsi_dev_probe()
error: memset() '&phba->ctrl.ptag_state[i]->tag_mem_state' too small (24 vs 32)
drivers/scsi/be2iscsi/be_main.c
5576 for (i = 0; i < MAX_MCC_CMD; i++) {
5577 init_waitqueue_head(&phba->ctrl.mcc_wait[i + 1]);
5578 phba->ctrl.mcc_tag[i] = i + 1;
5579 phba->ctrl.mcc_numtag[i + 1] = 0;
5580 phba->ctrl.mcc_tag_available++;
5581 memset(&phba->ctrl.ptag_state[i].tag_mem_state, 0,
5582 sizeof(struct beiscsi_mcc_tag_state));
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Probably this this be change to sizeof(struct be_dma_mem struct)? It looks like we are corrupting memory a bit here.
5583 }
regards,
dan carpenter
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: John Soni Jose <sony.john-n@emulex.com>
Signed-off-by: Jayamohan Kallickal <jayamohan.kallickal@emulex.com>
Signed-off-by: Christoph Hellwig <hch@lst.de>
Diffstat (limited to 'drivers')
-rw-r--r-- | drivers/scsi/be2iscsi/be_main.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/scsi/be2iscsi/be_main.c b/drivers/scsi/be2iscsi/be_main.c index e9f01a5f360b..e202ab32d13e 100644 --- a/drivers/scsi/be2iscsi/be_main.c +++ b/drivers/scsi/be2iscsi/be_main.c @@ -5625,7 +5625,7 @@ static int beiscsi_dev_probe(struct pci_dev *pcidev, phba->ctrl.mcc_numtag[i + 1] = 0; phba->ctrl.mcc_tag_available++; memset(&phba->ctrl.ptag_state[i].tag_mem_state, 0, - sizeof(struct beiscsi_mcc_tag_state)); + sizeof(struct be_dma_mem)); } phba->ctrl.mcc_alloc_index = phba->ctrl.mcc_free_index = 0; |