aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMoore, Eric <Eric.Moore@lsil.com>2006-01-17 17:06:29 -0700
committerJames Bottomley <jejb@mulgrave.(none)>2006-01-31 14:40:05 -0600
commit2254c86db124a37057116ad20a8de7b8483b6f44 (patch)
tree324c4e17c925d3a229b6f522644c37c67c08e3e6
parenta69ac3248513ff0fbbdd8f316136036b3b8067a9 (diff)
downloadkernel_samsung_smdk4412-2254c86db124a37057116ad20a8de7b8483b6f44.zip
kernel_samsung_smdk4412-2254c86db124a37057116ad20a8de7b8483b6f44.tar.gz
kernel_samsung_smdk4412-2254c86db124a37057116ad20a8de7b8483b6f44.tar.bz2
[SCSI] fusion: add message sanity check
This adds a sanity check in the interrupt routine insures incoming message frames are a valid message frames. The code for setting 0xdeadbeaf in the freed message frames, apparently was already submitted by Christoph in previous patch submission. Signed-off-by: Eric Moore <Eric.Moore@lsil.com> Signed-off-by: James Bottomley <James.Bottomley@SteelEye.com>
-rw-r--r--drivers/message/fusion/mptscsih.c15
1 files changed, 14 insertions, 1 deletions
diff --git a/drivers/message/fusion/mptscsih.c b/drivers/message/fusion/mptscsih.c
index 2e1c9ff..05789e5 100644
--- a/drivers/message/fusion/mptscsih.c
+++ b/drivers/message/fusion/mptscsih.c
@@ -560,11 +560,24 @@ mptscsih_io_done(MPT_ADAPTER *ioc, MPT_FRAME_HDR *mf, MPT_FRAME_HDR *mr)
MPT_SCSI_HOST *hd;
SCSIIORequest_t *pScsiReq;
SCSIIOReply_t *pScsiReply;
- u16 req_idx;
+ u16 req_idx, req_idx_MR;
hd = (MPT_SCSI_HOST *) ioc->sh->hostdata;
req_idx = le16_to_cpu(mf->u.frame.hwhdr.msgctxu.fld.req_idx);
+ req_idx_MR = (mr != NULL) ?
+ le16_to_cpu(mr->u.frame.hwhdr.msgctxu.fld.req_idx) : req_idx;
+ if ((req_idx != req_idx_MR) ||
+ (mf->u.frame.linkage.arg1 == 0xdeadbeaf)) {
+ printk(MYIOC_s_ERR_FMT "Received a mf that was already freed\n",
+ ioc->name);
+ printk (MYIOC_s_ERR_FMT
+ "req_idx=%x req_idx_MR=%x mf=%p mr=%p sc=%p\n",
+ ioc->name, req_idx, req_idx_MR, mf, mr,
+ hd->ScsiLookup[req_idx_MR]);
+ return 0;
+ }
+
sc = hd->ScsiLookup[req_idx];
if (sc == NULL) {
MPIHeader_t *hdr = (MPIHeader_t *)mf;