[SCSI] libfc, fcoe: ignore rx frame with wrong xid info

Drop the rx frame having xid with wrong cpu info
or received with xid  not matching to our xid.

Not dropping such frame is causing panic as
that causes accessing data struct beyond their
bounds.

Signed-off-by: Vasu Dev <vasu.dev@intel.com>
Tested-by: Ross Brattain <ross.b.brattain@intel.com>
Signed-off-by: Robert Love <robert.w.love@intel.com>
Signed-off-by: James Bottomley <JBottomley@Parallels.com>

2 files changed, 5 insertions, 3 deletions

diff --git a/drivers/scsi/fcoe/fcoe.c b/drivers/scsi/fcoe/fcoe.c
index f7547fb000c0..945df21ac017 100644
--- a/drivers/scsi/fcoe/fcoe.c
+++ b/drivers/scsi/fcoe/fcoe.c
@@ -1373,6 +1373,10 @@ int fcoe_rcv(struct sk_buff *skb, struct net_device *netdev,
                 } else
                         cpu = smp_processor_id();
         }
+
+        if (cpu >= nr_cpu_ids)
+                goto err;
+
         fps = &per_cpu(fcoe_percpu, cpu);
         spin_lock_bh(&fps->fcoe_rx_list.lock);
         if (unlikely(!fps->thread)) {
diff --git a/drivers/scsi/libfc/fc_exch.c b/drivers/scsi/libfc/fc_exch.c
index 7baf2239ce07..01ff082dc34c 100644
--- a/drivers/scsi/libfc/fc_exch.c
+++ b/drivers/scsi/libfc/fc_exch.c
@@ -802,10 +802,8 @@ static struct fc_exch *fc_exch_find(struct fc_exch_mgr *mp, u16 xid)
                 pool = per_cpu_ptr(mp->pool, xid & fc_cpu_mask);
                 spin_lock_bh(&pool->lock);
                 ep = fc_exch_ptr_get(pool, (xid - mp->min_xid) >> fc_cpu_order);
-                if (ep) {
+                if (ep && ep->xid == xid)
                         fc_exch_hold(ep);
-                        WARN_ON(ep->xid != xid);
-                }
                 spin_unlock_bh(&pool->lock);
         }
         return ep;