提交 324f6678 编写于 作者: V Vasu Dev 提交者: James Bottomley

[SCSI] libfc, fcoe: ignore rx frame with wrong xid info

Drop the rx frame having xid with wrong cpu info
or received with xid  not matching to our xid.

Not dropping such frame is causing panic as
that causes accessing data struct beyond their
bounds.
Signed-off-by: NVasu Dev <vasu.dev@intel.com>
Tested-by: NRoss Brattain <ross.b.brattain@intel.com>
Signed-off-by: NRobert Love <robert.w.love@intel.com>
Signed-off-by: NJames Bottomley <JBottomley@Parallels.com>
上级 6f06e3a7
...@@ -1373,6 +1373,10 @@ int fcoe_rcv(struct sk_buff *skb, struct net_device *netdev, ...@@ -1373,6 +1373,10 @@ int fcoe_rcv(struct sk_buff *skb, struct net_device *netdev,
} else } else
cpu = smp_processor_id(); cpu = smp_processor_id();
} }
if (cpu >= nr_cpu_ids)
goto err;
fps = &per_cpu(fcoe_percpu, cpu); fps = &per_cpu(fcoe_percpu, cpu);
spin_lock_bh(&fps->fcoe_rx_list.lock); spin_lock_bh(&fps->fcoe_rx_list.lock);
if (unlikely(!fps->thread)) { if (unlikely(!fps->thread)) {
......
...@@ -802,10 +802,8 @@ static struct fc_exch *fc_exch_find(struct fc_exch_mgr *mp, u16 xid) ...@@ -802,10 +802,8 @@ static struct fc_exch *fc_exch_find(struct fc_exch_mgr *mp, u16 xid)
pool = per_cpu_ptr(mp->pool, xid & fc_cpu_mask); pool = per_cpu_ptr(mp->pool, xid & fc_cpu_mask);
spin_lock_bh(&pool->lock); spin_lock_bh(&pool->lock);
ep = fc_exch_ptr_get(pool, (xid - mp->min_xid) >> fc_cpu_order); ep = fc_exch_ptr_get(pool, (xid - mp->min_xid) >> fc_cpu_order);
if (ep) { if (ep && ep->xid == xid)
fc_exch_hold(ep); fc_exch_hold(ep);
WARN_ON(ep->xid != xid);
}
spin_unlock_bh(&pool->lock); spin_unlock_bh(&pool->lock);
} }
return ep; return ep;
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册