diff options
author | Moore, Eric <Eric.Moore@lsil.com> | 2006-01-17 17:06:29 -0700 |
---|---|---|
committer | James Bottomley <jejb@mulgrave.(none)> | 2006-01-31 14:40:05 -0600 |
commit | 2254c86db124a37057116ad20a8de7b8483b6f44 (patch) | |
tree | 324c4e17c925d3a229b6f522644c37c67c08e3e6 /drivers/message/fusion | |
parent | a69ac3248513ff0fbbdd8f316136036b3b8067a9 (diff) | |
download | kernel-crypto-2254c86db124a37057116ad20a8de7b8483b6f44.tar.gz kernel-crypto-2254c86db124a37057116ad20a8de7b8483b6f44.tar.xz kernel-crypto-2254c86db124a37057116ad20a8de7b8483b6f44.zip |
[SCSI] fusion: add message sanity check
This adds a sanity check in the interrupt routine
insures incoming message frames are a valid
message frames.
The code for setting 0xdeadbeaf in the freed message
frames, apparently was already submitted by Christoph
in previous patch submission.
Signed-off-by: Eric Moore <Eric.Moore@lsil.com>
Signed-off-by: James Bottomley <James.Bottomley@SteelEye.com>
Diffstat (limited to 'drivers/message/fusion')
-rw-r--r-- | drivers/message/fusion/mptscsih.c | 15 |
1 files changed, 14 insertions, 1 deletions
diff --git a/drivers/message/fusion/mptscsih.c b/drivers/message/fusion/mptscsih.c index 2e1c9ff4b02..05789e50546 100644 --- a/drivers/message/fusion/mptscsih.c +++ b/drivers/message/fusion/mptscsih.c @@ -560,11 +560,24 @@ mptscsih_io_done(MPT_ADAPTER *ioc, MPT_FRAME_HDR *mf, MPT_FRAME_HDR *mr) MPT_SCSI_HOST *hd; SCSIIORequest_t *pScsiReq; SCSIIOReply_t *pScsiReply; - u16 req_idx; + u16 req_idx, req_idx_MR; hd = (MPT_SCSI_HOST *) ioc->sh->hostdata; req_idx = le16_to_cpu(mf->u.frame.hwhdr.msgctxu.fld.req_idx); + req_idx_MR = (mr != NULL) ? + le16_to_cpu(mr->u.frame.hwhdr.msgctxu.fld.req_idx) : req_idx; + if ((req_idx != req_idx_MR) || + (mf->u.frame.linkage.arg1 == 0xdeadbeaf)) { + printk(MYIOC_s_ERR_FMT "Received a mf that was already freed\n", + ioc->name); + printk (MYIOC_s_ERR_FMT + "req_idx=%x req_idx_MR=%x mf=%p mr=%p sc=%p\n", + ioc->name, req_idx, req_idx_MR, mf, mr, + hd->ScsiLookup[req_idx_MR]); + return 0; + } + sc = hd->ScsiLookup[req_idx]; if (sc == NULL) { MPIHeader_t *hdr = (MPIHeader_t *)mf; |