summaryrefslogtreecommitdiff
path: root/drivers/scsi/libfc
diff options
context:
space:
mode:
authorHannes Reinecke <hare@suse.de>2016-10-13 16:10:49 +0300
committerMartin K. Petersen <martin.petersen@oracle.com>2016-11-09 01:29:52 +0300
commitb73aa56ee91cd88a4977033cfd2a18d6b25dddde (patch)
treed2f0d144aeb58278b397509973f0f3ddc7f62323 /drivers/scsi/libfc
parent5d339d163a541ceb13074789ac2f8c35b11ebda9 (diff)
downloadlinux-b73aa56ee91cd88a4977033cfd2a18d6b25dddde.tar.xz
scsi: libfc: safeguard against invalid exchange index
The cached exchange index might be invalid, in which case we should drop down to allocate a new one. And we should not try to access an invalid exchange when responding to a BA_ABTS. Signed-off-by: Hannes Reinecke <hare@suse.com> Reviewed-by: Bart Van Assche <bart.vanassche@sandisk.com> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Diffstat (limited to 'drivers/scsi/libfc')
-rw-r--r--drivers/scsi/libfc/fc_exch.c21
1 files changed, 14 insertions, 7 deletions
diff --git a/drivers/scsi/libfc/fc_exch.c b/drivers/scsi/libfc/fc_exch.c
index 99cc5a941997..7b47ab1389ca 100644
--- a/drivers/scsi/libfc/fc_exch.c
+++ b/drivers/scsi/libfc/fc_exch.c
@@ -827,14 +827,18 @@ static struct fc_exch *fc_exch_em_alloc(struct fc_lport *lport,
/* peek cache of free slot */
if (pool->left != FC_XID_UNKNOWN) {
- index = pool->left;
- pool->left = FC_XID_UNKNOWN;
- goto hit;
+ if (!WARN_ON(fc_exch_ptr_get(pool, pool->left))) {
+ index = pool->left;
+ pool->left = FC_XID_UNKNOWN;
+ goto hit;
+ }
}
if (pool->right != FC_XID_UNKNOWN) {
- index = pool->right;
- pool->right = FC_XID_UNKNOWN;
- goto hit;
+ if (!WARN_ON(fc_exch_ptr_get(pool, pool->right))) {
+ index = pool->right;
+ pool->right = FC_XID_UNKNOWN;
+ goto hit;
+ }
}
index = pool->next_index;
@@ -1782,7 +1786,10 @@ static void fc_exch_recv_bls(struct fc_exch_mgr *mp, struct fc_frame *fp)
fc_frame_free(fp);
break;
case FC_RCTL_BA_ABTS:
- fc_exch_recv_abts(ep, fp);
+ if (ep)
+ fc_exch_recv_abts(ep, fp);
+ else
+ fc_frame_free(fp);
break;
default: /* ignore junk */
fc_frame_free(fp);