diff options
| author | Arun Easi <arun.easi@qlogic.com> | 2012-02-09 14:16:01 -0500 |
|---|---|---|
| committer | James Bottomley <JBottomley@Parallels.com> | 2012-02-19 09:35:19 -0500 |
| commit | a6fe35c052c4fdd1e8e21251f14eea0bd4bbd25b (patch) | |
| tree | da2bfb3741f4d2afe1ee2992a1d997ec7acd5bf0 | |
| parent | dafdf8923fbd298cc7bd1ec00aaa69b8a5ceced0 (diff) | |
[SCSI] qla2xxx: Avoid invalid request queue dereference for bad response packets.
Signed-off-by: Arun Easi <arun.easi@qlogic.com>
Signed-off-by: Chad Dupuis <chad.dupuis@qlogic.com>
Signed-off-by: James Bottomley <JBottomley@Parallels.com>
| -rw-r--r-- | drivers/scsi/qla2xxx/qla_isr.c | 28 |
1 files changed, 17 insertions, 11 deletions
diff --git a/drivers/scsi/qla2xxx/qla_isr.c b/drivers/scsi/qla2xxx/qla_isr.c index fdead64eb7d1..f79844ce7122 100644 --- a/drivers/scsi/qla2xxx/qla_isr.c +++ b/drivers/scsi/qla2xxx/qla_isr.c | |||
| @@ -1883,28 +1883,34 @@ qla2x00_error_entry(scsi_qla_host_t *vha, struct rsp_que *rsp, sts_entry_t *pkt) | |||
| 1883 | struct qla_hw_data *ha = vha->hw; | 1883 | struct qla_hw_data *ha = vha->hw; |
| 1884 | const char func[] = "ERROR-IOCB"; | 1884 | const char func[] = "ERROR-IOCB"; |
| 1885 | uint16_t que = MSW(pkt->handle); | 1885 | uint16_t que = MSW(pkt->handle); |
| 1886 | struct req_que *req = ha->req_q_map[que]; | 1886 | struct req_que *req = NULL; |
| 1887 | int res = DID_ERROR << 16; | 1887 | int res = DID_ERROR << 16; |
| 1888 | 1888 | ||
| 1889 | ql_dbg(ql_dbg_async, vha, 0x502a, | 1889 | ql_dbg(ql_dbg_async, vha, 0x502a, |
| 1890 | "type of error status in response: 0x%x\n", pkt->entry_status); | 1890 | "type of error status in response: 0x%x\n", pkt->entry_status); |
| 1891 | 1891 | ||
| 1892 | if (que >= ha->max_req_queues || !ha->req_q_map[que]) | ||
| 1893 | goto fatal; | ||
| 1894 | |||
| 1895 | req = ha->req_q_map[que]; | ||
| 1896 | |||
| 1892 | if (pkt->entry_status & RF_BUSY) | 1897 | if (pkt->entry_status & RF_BUSY) |
| 1893 | res = DID_BUS_BUSY << 16; | 1898 | res = DID_BUS_BUSY << 16; |
| 1894 | 1899 | ||
| 1895 | sp = qla2x00_get_sp_from_handle(vha, func, req, pkt); | 1900 | sp = qla2x00_get_sp_from_handle(vha, func, req, pkt); |
| 1896 | if (sp) | 1901 | if (sp) { |
| 1897 | sp->done(ha, sp, res); | 1902 | sp->done(ha, sp, res); |
| 1898 | else { | 1903 | return; |
| 1899 | ql_log(ql_log_warn, vha, 0x5030, | ||
| 1900 | "Error entry - invalid handle.\n"); | ||
| 1901 | |||
| 1902 | if (IS_QLA82XX(ha)) | ||
| 1903 | set_bit(FCOE_CTX_RESET_NEEDED, &vha->dpc_flags); | ||
| 1904 | else | ||
| 1905 | set_bit(ISP_ABORT_NEEDED, &vha->dpc_flags); | ||
| 1906 | qla2xxx_wake_dpc(vha); | ||
| 1907 | } | 1904 | } |
| 1905 | fatal: | ||
| 1906 | ql_log(ql_log_warn, vha, 0x5030, | ||
| 1907 | "Error entry - invalid handle/queue.\n"); | ||
| 1908 | |||
| 1909 | if (IS_QLA82XX(ha)) | ||
| 1910 | set_bit(FCOE_CTX_RESET_NEEDED, &vha->dpc_flags); | ||
| 1911 | else | ||
| 1912 | set_bit(ISP_ABORT_NEEDED, &vha->dpc_flags); | ||
| 1913 | qla2xxx_wake_dpc(vha); | ||
| 1908 | } | 1914 | } |
| 1909 | 1915 | ||
| 1910 | /** | 1916 | /** |