[SCSI] zfcp: Bounds checking for deferred error trace

[firefly-linux-kernel-4.4.55.git] / drivers / s390 / scsi / zfcp_qdio.c

diff --git a/drivers/s390/scsi/zfcp_qdio.c b/drivers/s390/scsi/zfcp_qdio.c
index b9fffc8d94a76daaf6b7faadbcd85194cb555094..50b5615848f6edaf63ca75d2021fe102eae5a6d7 100644 (file)
--- a/drivers/s390/scsi/zfcp_qdio.c
+++ b/drivers/s390/scsi/zfcp_qdio.c
@@ -102,18 +102,22 @@ static void zfcp_qdio_int_resp(struct ccw_device *cdev, unsigned int qdio_err,
 {
        struct zfcp_qdio *qdio = (struct zfcp_qdio *) parm;
        struct zfcp_adapter *adapter = qdio->adapter;
-       struct qdio_buffer_element *sbale;
        int sbal_no, sbal_idx;
-       void *pl[ZFCP_QDIO_MAX_SBALS_PER_REQ + 1];
-       u64 req_id;
-       u8 scount;
 
        if (unlikely(qdio_err)) {
-               memset(pl, 0, ZFCP_QDIO_MAX_SBALS_PER_REQ * sizeof(void *));
                if (zfcp_adapter_multi_buffer_active(adapter)) {
+                       void *pl[ZFCP_QDIO_MAX_SBALS_PER_REQ + 1];
+                       struct qdio_buffer_element *sbale;
+                       u64 req_id;
+                       u8 scount;
+
+                       memset(pl, 0,
+                              ZFCP_QDIO_MAX_SBALS_PER_REQ * sizeof(void *));
                        sbale = qdio->res_q[idx]->element;
                        req_id = (u64) sbale->addr;
-                       scount = sbale->scount + 1; /* incl. signaling SBAL */
+                       scount = min(sbale->scount + 1,
+                                    ZFCP_QDIO_MAX_SBALS_PER_REQ + 1);
+                                    /* incl. signaling SBAL */
 
                        for (sbal_no = 0; sbal_no < scount; sbal_no++) {
                                sbal_idx = (idx + sbal_no) %