Hi Bart,
On Thu, Feb 20, 2020 at 08:28:16AM -0800, Bart Van Assche wrote:
> As one can see in __qla2x00_marker() a value is assigned to mrk24->handle()
> by __qla2x00_alloc_iocbs(). That function calls qla2xxx_get_next_handle() to
> determine the 'handle' value. The implementation of that last function is as
> follows:
>
> uint32_t qla2xxx_get_next_handle(struct req_que *req)
> {
> uint32_t index, handle = req->current_outstanding_cmd;
>
> for (index = 1; index < req->num_outstanding_cmds; index++) {
> handle++;
> if (handle == req->num_outstanding_cmds)
> handle = 1;
> if (!req->outstanding_cmds[handle])
> return handle;
> }
>
> return 0;
> }
>
> Since 'num_outstanding_cmds' is a 16-bit variable I think that guarantees
> that the code quoted in your e-mail passes a 16-bit value as the second
> argument to make_handle().
>
> Additionally, if the second argument to make_handle() would be larger than
> 0x10000, the following code from qla2x00_status_entry() would map
> sts->handle to another queue and another command than those through wich the
> command was submitted to the firmware:
>
> handle = (uint32_t) LSW(sts->handle);
> que = MSW(sts->handle);
> req = ha->req_q_map[que];
Thanks for digging through it. I stopped at the function signature :)
Changing the return type of qla2xxx_get_next_handle() would be a new
patch.
In this case this patch is good.
Reviewed-by: Daniel Wagner <dwagner@xxxxxxx>
