From 0fbd635caa86a027dbe88c4739dc00a27e29135e Mon Sep 17 00:00:00 2001
From: Artur Wojcik <artur.wojcik@intel.com>
Date: Thu, 10 Dec 2009 12:03:37 -0700
Subject: Fix for possible NULL pointer dereference.

Pointer 'this' returned from call to function 'malloc' at line 3795
may be NULL and will be dereferenced at line 3796.

Artur Wojcik <artur.wojcik@intel.com>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
---
 super-intel.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

(limited to 'super-intel.c')

diff --git a/super-intel.c b/super-intel.c
index 2e119f8..5e8378f 100644
--- a/super-intel.c
+++ b/super-intel.c
@@ -3804,6 +3804,11 @@ static struct mdinfo *container_content_imsm(struct supertype *st)
 		}
 
 		this = malloc(sizeof(*this));
+		if (!this) {
+			fprintf(stderr, Name ": failed to allocate %lu bytes\n",
+				sizeof(*this));
+			break;
+		}
 		memset(this, 0, sizeof(*this));
 		this->next = rest;
 
@@ -3821,7 +3826,7 @@ static struct mdinfo *container_content_imsm(struct supertype *st)
 			ord = get_imsm_ord_tbl_ent(dev, slot); 
 			for (d = super->disks; d ; d = d->next)
 				if (d->index == idx)
-                                        break;
+					break;
 
 			if (d == NULL)
 				skip = 1;
-- 
cgit 


From 20cbe8d2bad9277605b6e51886929a0c00518d37 Mon Sep 17 00:00:00 2001
From: Artur Wojcik <artur.wojcik@intel.com>
Date: Thu, 10 Dec 2009 12:03:39 -0700
Subject: Fix for memory and resource leak.

Make sure opened file descriptor is cleaned up on exit
path. Also make sure allocated memory for 'sra' is released
on exit path, too.

Signed-off-by: Artur Wojcik <artur.wojcik@intel.com>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
---
 super-intel.c | 19 ++++++++++++-------
 1 file changed, 12 insertions(+), 7 deletions(-)

(limited to 'super-intel.c')

diff --git a/super-intel.c b/super-intel.c
index 5e8378f..4b8e2b7 100644
--- a/super-intel.c
+++ b/super-intel.c
@@ -3664,6 +3664,7 @@ static int validate_geometry_imsm(struct supertype *st, int level, int layout,
 {
 	int fd, cfd;
 	struct mdinfo *sra;
+	int is_member = 0;
 
 	/* if given unused devices create a container 
 	 * if given given devices in a container create a member volume
@@ -3730,17 +3731,19 @@ static int validate_geometry_imsm(struct supertype *st, int level, int layout,
 	}
 	/* Well, it is in use by someone, maybe an 'imsm' container. */
 	cfd = open_container(fd);
+	close(fd);
 	if (cfd < 0) {
-		close(fd);
 		if (verbose)
 			fprintf(stderr, Name ": Cannot use %s: It is busy\n",
 				dev);
 		return 0;
 	}
 	sra = sysfs_read(cfd, 0, GET_VERSION);
-	close(fd);
 	if (sra && sra->array.major_version == -1 &&
-	    strcmp(sra->text_version, "imsm") == 0) {
+	    strcmp(sra->text_version, "imsm") == 0)
+		is_member = 1;
+	sysfs_free(sra);
+	if (is_member) {
 		/* This is a member of a imsm container.  Load the container
 		 * and try to create a volume
 		 */
@@ -3755,11 +3758,13 @@ static int validate_geometry_imsm(struct supertype *st, int level, int layout,
 							     size, dev,
 							     freesize, verbose);
 		}
-		close(cfd);
-	} else /* may belong to another container */
-		return 0;
+	}
 
-	return 1;
+	if (verbose)
+		fprintf(stderr, Name ": failed container membership check\n");
+
+	close(cfd);
+	return 0;
 }
 #endif /* MDASSEMBLE */
 
-- 
cgit 


From d10d56feb88ef8a625ec39e04d7c8b711bf08870 Mon Sep 17 00:00:00 2001
From: Artur Wojcik <artur.wojcik@intel.com>
Date: Thu, 10 Dec 2009 12:03:39 -0700
Subject: Fix for NULL pointer dereference.

Suspicious dereference of pointer 'super' before NULL check at
line 3429.

Signed-off-by: Artur Wojcik <artur.wojcik@intel.com>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
---
 super-intel.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'super-intel.c')

diff --git a/super-intel.c b/super-intel.c
index 4b8e2b7..03dcbd5 100644
--- a/super-intel.c
+++ b/super-intel.c
@@ -3426,7 +3426,7 @@ static int validate_geometry_imsm_volume(struct supertype *st, int level,
 {
 	struct stat stb;
 	struct intel_super *super = st->sb;
-	struct imsm_super *mpb = super->anchor;
+	struct imsm_super *mpb;
 	struct dl *dl;
 	unsigned long long pos = 0;
 	unsigned long long maxsize;
@@ -3436,6 +3436,7 @@ static int validate_geometry_imsm_volume(struct supertype *st, int level,
 	/* We must have the container info already read in. */
 	if (!super)
 		return 0;
+	mpb = super->anchor;
 
 	if (!is_raid_level_supported(super->orom, level, raiddisks)) {
 		pr_vrb(": platform does not support raid%d with %d disk%s\n",
-- 
cgit 


From 791b666ae864cbd6f6c4513859afeb5fc624d02f Mon Sep 17 00:00:00 2001
From: Artur Wojcik <artur.wojcik@intel.com>
Date: Thu, 10 Dec 2009 12:03:39 -0700
Subject: Fix for NULL pointer dereference.

Pointers '_dev' and '_disk' returned from call to function '_get_imsm_dev'
and '_get_imsm_disk' may be NULL and will be dereferenced at lines
2933 and 2934, respectively.

Signed-off-by: Artur Wojcik <artur.wojcik@intel.com>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
---
 super-intel.c | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'super-intel.c')

diff --git a/super-intel.c b/super-intel.c
index 03dcbd5..49e938d 100644
--- a/super-intel.c
+++ b/super-intel.c
@@ -2938,6 +2938,10 @@ static int add_to_super_imsm_volume(struct supertype *st, mdu_disk_info_t *dk,
 		struct imsm_dev *_dev = __get_imsm_dev(mpb, 0);
 		struct imsm_disk *_disk = __get_imsm_disk(mpb, dl->index);
 
+		if (!_dev || !_disk) {
+			fprintf(stderr, Name ": BUG mpb setup error\n");
+			return 1;
+		}
 		*_dev = *dev;
 		*_disk = dl->disk;
 		sum = random32();
-- 
cgit 


From 7a6ecd55444b703050d3655eb04a22656e37488b Mon Sep 17 00:00:00 2001
From: Artur Wojcik <artur.wojcik@intel.com>
Date: Thu, 10 Dec 2009 12:03:39 -0700
Subject: Fix for buffer overflow defect.

Buffer overflow, array index of 'nm' may be out of bounds.

Signed-off-by: Artur Wojcik <artur.wojcik@intel.com>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
---
 super-intel.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'super-intel.c')

diff --git a/super-intel.c b/super-intel.c
index 49e938d..5cc78f5 100644
--- a/super-intel.c
+++ b/super-intel.c
@@ -2493,7 +2493,7 @@ static int load_super_imsm_all(struct supertype *st, int fd, void **sbp,
 	/* load all mpbs */
 	for (sd = sra->devs, i = 0; sd; sd = sd->next, i++) {
 		struct intel_super *s = alloc_super(0);
-		char nm[20];
+		char nm[32];
 		int dfd;
 
 		err = 1;
-- 
cgit 


From c3ca5f60282b263808dff6b0b77538d2207c3568 Mon Sep 17 00:00:00 2001
From: Dan Williams <dan.j.williams@intel.com>
Date: Thu, 10 Dec 2009 12:03:39 -0700
Subject: imsm: no need to report the component device name from
 container_content

sysfs_add_disk() regenerates the name from major:minor, so we can drop a
strcpy that the static analysis checker does not like.

Reported-by: Artur Wojcik <artur.wojcik@intel.com>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
---
 super-intel.c | 2 --
 1 file changed, 2 deletions(-)

(limited to 'super-intel.c')

diff --git a/super-intel.c b/super-intel.c
index 5cc78f5..cf6288f 100644
--- a/super-intel.c
+++ b/super-intel.c
@@ -3878,8 +3878,6 @@ static struct mdinfo *container_content_imsm(struct supertype *st)
 			info_d->events = __le32_to_cpu(mpb->generation_num);
 			info_d->data_offset = __le32_to_cpu(map->pba_of_lba0);
 			info_d->component_size = __le32_to_cpu(map->blocks_per_member);
-			if (d->devname)
-				strcpy(info_d->name, d->devname);
 		}
 		rest = this;
 	}
-- 
cgit 


From 4e9d21862d0fbea7e028ff3a48a0b734440e6015 Mon Sep 17 00:00:00 2001
From: Artur Wojcik <artur.wojcik@intel.com>
Date: Thu, 10 Dec 2009 12:03:39 -0700
Subject: Fix for NULL pointer dereference defect.

Pointer 'st' returned from call to function 'malloc' at line 320 may
be NULL and it will be dereferenced at line 321.

Signed-off-by: Artur Wojcik <artur.wojcik@intel.com>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
---
 super-intel.c | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'super-intel.c')

diff --git a/super-intel.c b/super-intel.c
index cf6288f..a2acaaf 100644
--- a/super-intel.c
+++ b/super-intel.c
@@ -318,6 +318,8 @@ static struct supertype *match_metadata_desc_imsm(char *arg)
 		return NULL;
 
 	st = malloc(sizeof(*st));
+	if (!st)
+		return NULL;
 	memset(st, 0, sizeof(*st));
 	st->ss = &super_imsm;
 	st->max_devs = IMSM_MAX_DEVICES;
-- 
cgit 


From d362da3dfef78f016690e677052b20a163e65236 Mon Sep 17 00:00:00 2001
From: Artur Wojcik <artur.wojcik@intel.com>
Date: Thu, 10 Dec 2009 12:03:40 -0700
Subject: Fix for NULL pointer dereference defect.

Pointer 'disk' returned from call to function '_get_imsm_disk' at line
700 may be NULL and will be dereferenced at line 710.

Signed-off-by: Artur Wojcik <artur.wojcik@intel.com>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
---
 super-intel.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'super-intel.c')

diff --git a/super-intel.c b/super-intel.c
index a2acaaf..da753a0 100644
--- a/super-intel.c
+++ b/super-intel.c
@@ -703,7 +703,7 @@ static void print_imsm_disk(struct imsm_super *mpb, int index, __u32 reserved)
 	char str[MAX_RAID_SERIAL_LEN + 1];
 	__u64 sz;
 
-	if (index < 0)
+	if (index < 0 || !disk)
 		return;
 
 	printf("\n");
-- 
cgit 


From 4e5e717d72453bed761f561f24393d95d1817352 Mon Sep 17 00:00:00 2001
From: Artur Wojcik <artur.wojcik@intel.com>
Date: Thu, 10 Dec 2009 12:03:40 -0700
Subject: Fix for NULL pointer dereference defect.

Pointer 'c' returned from call to function 'strchr' at line 954 may
be NULL and will be dereferenced at line 955.

Signed-off-by: Artur Wojcik <artur.wojcik@intel.com>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
---
 super-intel.c | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'super-intel.c')

diff --git a/super-intel.c b/super-intel.c
index da753a0..72fa68f 100644
--- a/super-intel.c
+++ b/super-intel.c
@@ -961,6 +961,12 @@ static int imsm_enumerate_ports(const char *hba_path, int port_count, int host_b
 
 		/* chop device path to 'host%d' and calculate the port number */
 		c = strchr(&path[hba_len], '/');
+		if (!c) {
+			if (verbose)
+				fprintf(stderr, Name ": %s - invalid path name\n", path + hba_len);
+			err = 2;
+			break;
+		}
 		*c = '\0';
 		if (sscanf(&path[hba_len], "host%d", &port) == 1)
 			port -= host_base;
-- 
cgit 


From e207da2f1b16470429d621ee47938e3215844caa Mon Sep 17 00:00:00 2001
From: Artur Wojcik <artur.wojcik@intel.com>
Date: Thu, 10 Dec 2009 12:03:40 -0700
Subject: Fix for memory leak defect.

Dynamic memory stored in 'devnum2devname(st->container_dev)' allocated
through function 'devnum2devname' at line 1274 is lost at line 1278.

Signed-off-by: Artur Wojcik <artur.wojcik@intel.com>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
---
 super-intel.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

(limited to 'super-intel.c')

diff --git a/super-intel.c b/super-intel.c
index 72fa68f..fbde7e6 100644
--- a/super-intel.c
+++ b/super-intel.c
@@ -1244,6 +1244,7 @@ static void getinfo_super_imsm_volume(struct supertype *st, struct mdinfo *info)
 	struct imsm_dev *dev = get_imsm_dev(super, super->current_vol);
 	struct imsm_map *map = get_imsm_map(dev, 0);
 	struct dl *dl;
+	char *devname;
 
 	for (dl = super->disks; dl; dl = dl->next)
 		if (dl->raiddisk == info->disk.raid_disk)
@@ -1285,9 +1286,11 @@ static void getinfo_super_imsm_volume(struct supertype *st, struct mdinfo *info)
 
 	info->array.major_version = -1;
 	info->array.minor_version = -2;
-	sprintf(info->text_version, "/%s/%d",
-		devnum2devname(st->container_dev),
-		info->container_member);
+	devname = devnum2devname(st->container_dev);
+	*info->text_version = '\0';
+	if (devname)
+		sprintf(info->text_version, "/%s/%d", devname, info->container_member);
+	free(devname);
 	info->safe_mode_delay = 4000;  /* 4 secs like the Matrix driver */
 	uuid_from_super_imsm(st, info->uuid);
 }
-- 
cgit 


From 1602d52c99aff727440e1015411c6566736aaf7f Mon Sep 17 00:00:00 2001
From: Artur Wojcik <artur.wojcik@intel.com>
Date: Thu, 10 Dec 2009 12:03:40 -0700
Subject: Fix for memory leak defect.

Possible memory leak. Dynamic memory stored in 'sra' allocated through
function 'sysfs_read' at line 2484 can be lost at lines 2491, 2560 and
2571.

Signed-off-by: Artur Wojcik <artur.wojcik@intel.com>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
---
 super-intel.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

(limited to 'super-intel.c')

diff --git a/super-intel.c b/super-intel.c
index fbde7e6..5c967b2 100644
--- a/super-intel.c
+++ b/super-intel.c
@@ -2498,9 +2498,10 @@ static int load_super_imsm_all(struct supertype *st, int fd, void **sbp,
 
 	if (sra->array.major_version != -1 ||
 	    sra->array.minor_version != -2 ||
-	    strcmp(sra->text_version, "imsm") != 0)
-		return 1;
-
+	    strcmp(sra->text_version, "imsm") != 0) {
+		err = 1;
+		goto error;
+	}
 	/* load all mpbs */
 	for (sd = sra->devs, i = 0; sd; sd = sd->next, i++) {
 		struct intel_super *s = alloc_super(0);
@@ -2566,6 +2567,7 @@ static int load_super_imsm_all(struct supertype *st, int fd, void **sbp,
 		super_list = super_list->next;
 		free_imsm(s);
 	}
+	sysfs_free(sra);
 
 	if (err)
 		return err;
-- 
cgit 


From 389508223e22807e7fb42ada4ad9d61416cc7afd Mon Sep 17 00:00:00 2001
From: Artur Wojcik <artur.wojcik@intel.com>
Date: Thu, 10 Dec 2009 12:03:40 -0700
Subject: Fix for memory leak defect.

Possible memory leak. Dynamic memory stored in 'dev' and 'dev' allocated
through function 'malloc' can be lost on exit path.

Signed-off-by: Artur Wojcik <artur.wojcik@intel.com>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
---
 super-intel.c | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'super-intel.c')

diff --git a/super-intel.c b/super-intel.c
index 5c967b2..d87b2b0 100644
--- a/super-intel.c
+++ b/super-intel.c
@@ -2810,6 +2810,8 @@ static int init_super_imsm_volume(struct supertype *st, mdu_array_info_t *info,
 	map->ddf = 1;
 
 	if (info->level == 1 && info->raid_disks > 2) {
+		free(dev);
+		free(dv);
 		fprintf(stderr, Name": imsm does not support more than 2 disks"
 				"in a raid1 volume\n");
 		return 0;
-- 
cgit 


From 33a6535d00eff4475a1557f3d9124e362a74ad28 Mon Sep 17 00:00:00 2001
From: Artur Wojcik <artur.wojcik@intel.com>
Date: Thu, 10 Dec 2009 12:03:40 -0700
Subject: Fix required to enable RAID arrays on SAS disks.

The patch increases the capacity of buffers used to store
sysfs path names. Originally the buffers were too small to
hold the canonical representation of sysfs path (in case
of a SAS device, especially a device installed behind an
expander).

Signed-off-by: Artur Wojcik <artur.wojcik@intel.com>
Reviewed-by: Andre Noll <maan@systemlinux.org>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
---
 super-intel.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'super-intel.c')

diff --git a/super-intel.c b/super-intel.c
index d87b2b0..325630f 100644
--- a/super-intel.c
+++ b/super-intel.c
@@ -1588,7 +1588,7 @@ static void fd2devname(int fd, char *name)
 {
 	struct stat st;
 	char path[256];
-	char dname[100];
+	char dname[PATH_MAX];
 	char *nm;
 	int rv;
 
-- 
cgit 


From dd9bb2fbed335f69225ea1a3514bd27422288a18 Mon Sep 17 00:00:00 2001
From: Dan Williams <dan.j.williams@intel.com>
Date: Thu, 10 Dec 2009 12:03:40 -0700
Subject: imsm: prune dead code in validate_geometry_imsm

Signed-off-by: Dan Williams <dan.j.williams@intel.com>
---
 super-intel.c | 15 ---------------
 1 file changed, 15 deletions(-)

(limited to 'super-intel.c')

diff --git a/super-intel.c b/super-intel.c
index 325630f..14e1521 100644
--- a/super-intel.c
+++ b/super-intel.c
@@ -3718,21 +3718,6 @@ static int validate_geometry_imsm(struct supertype *st, int level, int layout,
 						     dev, freesize, verbose);
 	}
 
-	/* limit creation to the following levels */
-	if (!dev)
-		switch (level) {
-		case 0:
-		case 1:
-		case 10:
-		case 5:
-			return 0;
-		default:
-			if (verbose)
-				fprintf(stderr, Name
-					": IMSM only supports levels 0,1,5,10\n");
-			return 1;
-		}
-
 	/* This device needs to be a device in an 'imsm' container */
 	fd = open(dev, O_RDONLY|O_EXCL, 0);
 	if (fd >= 0) {
-- 
cgit