From: Roland Dreier <roland@xxxxxxxxxxxxxxx>
The target code queues IOCBs with handles that have some high-order
bits set (CTIO_COMPLETION_HANDLE_MARK etc). If one of these requests
fails, the current qla2x00_error_entry() code takes the top 16 bits of
the handle and uses that to look up the request queue, which ends up
crashing by dereferencing a bogus entry off the end of req_q_map.
Fix this by checking that the que number is in bounds before looking
up the req_q_map entry.
Signed-off-by: Roland Dreier <roland@xxxxxxxxxxxxxxx>
---
drivers/scsi/qla2xxx/qla_isr.c | 11 ++++++++++-
1 files changed, 10 insertions(+), 1 deletions(-)
diff --git a/drivers/scsi/qla2xxx/qla_isr.c b/drivers/scsi/qla2xxx/qla_isr.c
index 8bbe515..47008ff 100644
--- a/drivers/scsi/qla2xxx/qla_isr.c
+++ b/drivers/scsi/qla2xxx/qla_isr.c
@@ -1926,7 +1926,7 @@ qla2x00_error_entry(scsi_qla_host_t *vha, struct rsp_que *rsp, sts_entry_t *pkt)
struct qla_hw_data *ha = vha->hw;
uint32_t handle = LSW(pkt->handle);
uint16_t que = MSW(pkt->handle);
- struct req_que *req = ha->req_q_map[que];
+ struct req_que *req;
#if defined(QL_DEBUG_LEVEL_2)
if (pkt->entry_status & RF_INV_E_ORDER)
qla_printk(KERN_ERR, ha, "%s: Invalid Entry Order\n", __func__);
@@ -1943,6 +1943,15 @@ qla2x00_error_entry(scsi_qla_host_t *vha, struct rsp_que *rsp, sts_entry_t *pkt)
qla_printk(KERN_ERR, ha, "%s: UNKNOWN flag error\n", __func__);
#endif
+ if (que >= ha->max_req_queues) {
+ /* Target command with high bits of handle set */
+ qla_printk(KERN_ERR, ha, "%s: error entry, type 0x%0x status 0x%x\n",
+ __func__, pkt->entry_type, pkt->entry_status);
+ return;
+ }
+
+ req = ha->req_q_map[que];
+
/* Validate handle. */
if (handle < MAX_OUTSTANDING_COMMANDS)
sp = req->outstanding_cmds[handle];
--
1.7.5.4
--
To unsubscribe from this list: send the line "unsubscribe target-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
