svn commit: r311160 - head/sys/dev/mpr

Alan Somers asomers at FreeBSD.org
Tue Jan 3 17:35:18 UTC 2017 

Author: asomers
Date: Tue Jan  3 17:35:16 2017
New Revision: 311160
URL: https://svnweb.freebsd.org/changeset/base/311160

Log:
  misc minor fixes in mpr(4)
  
  sys/dev/mpr/mpr_sas.c
  	* Fix a potential null pointer dereference (CID 1305731)
  	* Check for overrun of the ccb_scsiio.cdb_io.cdb_bytes buffer (CID
  	  1211934)
  
  sys/dev/mpr/mpr_sas_lsi.c
  	* Nullify a dangling pointer in mprsas_get_sata_identify
  	* Fix a memory leak in mprsas_SSU_to_SATA_devices (CID 1211935)
  
  Reported by:	Coverity (partially)
  CID:		1305731 1211934 1211935
  Reviewed by:	slm
  MFC after:	4 weeks
  Sponsored by:	Spectra Logic Corp
  Differential Revision:	https://reviews.freebsd.org/D8880

Modified:
  head/sys/dev/mpr/mpr_sas.c
  head/sys/dev/mpr/mpr_sas_lsi.c

Modified: head/sys/dev/mpr/mpr_sas.c
==============================================================================
--- head/sys/dev/mpr/mpr_sas.c	Tue Jan  3 17:24:56 2017	(r311159)
+++ head/sys/dev/mpr/mpr_sas.c	Tue Jan  3 17:35:16 2017	(r311160)
@@ -1846,8 +1846,12 @@ mprsas_action_scsiio(struct mprsas_softc
 
 	if (csio->ccb_h.flags & CAM_CDB_POINTER)
 		bcopy(csio->cdb_io.cdb_ptr, &req->CDB.CDB32[0], csio->cdb_len);
-	else
+	else {
+		KASSERT(csio->cdb_len <= IOCDBLEN,
+		    ("cdb_len %d is greater than IOCDBLEN but CAM_CDB_POINTER is not set",
+		     csio->cdb_len));
 		bcopy(csio->cdb_io.cdb_bytes, &req->CDB.CDB32[0],csio->cdb_len);
+	}
 	req->IoFlags = htole16(csio->cdb_len);
 
 	/*
@@ -2429,6 +2433,7 @@ mprsas_scsiio_complete(struct mpr_softc 
 		 * driver is being shutdown.
 		 */
 		if ((csio->cdb_io.cdb_bytes[0] == INQUIRY) &&
+		    (csio->data_ptr != NULL) &&
 		    ((csio->data_ptr[0] & 0x1f) == T_DIRECT) &&
 		    (sc->mapping_table[target_id].device_info &
 		    MPI2_SAS_DEVICE_INFO_SATA_DEVICE) &&

Modified: head/sys/dev/mpr/mpr_sas_lsi.c
==============================================================================
--- head/sys/dev/mpr/mpr_sas_lsi.c	Tue Jan  3 17:24:56 2017	(r311159)
+++ head/sys/dev/mpr/mpr_sas_lsi.c	Tue Jan  3 17:35:16 2017	(r311160)
@@ -1074,6 +1074,7 @@ out:
 		mpr_free_command(sc, cm);
 	else if (error == 0)
 		error = EWOULDBLOCK;
+	cm->cm_data = NULL;
 	free(buffer, M_MPR);
 	return (error);
 }
@@ -1214,18 +1215,18 @@ mprsas_SSU_to_SATA_devices(struct mpr_so
 			continue;
 		}
 
-		ccb = xpt_alloc_ccb_nowait();
-		if (ccb == NULL) {
-			mpr_dprint(sc, MPR_FAULT, "Unable to alloc CCB to stop "
-			    "unit.\n");
-			return;
-		}
-
 		/*
 		 * The stop_at_shutdown flag will be set if this device is
 		 * a SATA direct-access end device.
 		 */
 		if (target->stop_at_shutdown) {
+			ccb = xpt_alloc_ccb_nowait();
+			if (ccb == NULL) {
+				mpr_dprint(sc, MPR_FAULT, "Unable to alloc CCB to stop "
+				    "unit.\n");
+				return;
+			}
+
 			if (xpt_create_path(&ccb->ccb_h.path, xpt_periph,
 			    pathid, targetid, CAM_LUN_WILDCARD) !=
 			    CAM_REQ_CMP) {

More information about the svn-src-head mailing list