Re: [PATCH] scsi: qedi: off by one in qedi_get_cmd_from_tid()
Dan, > The > here should be >= or we end up reading one element beyond the > end of the qedi->itt_map[] array. The qedi->itt_map[] array is > allocated in qedi_alloc_itt(). Applied to 4.13/scsi-fixes. Thank you! -- Martin K. Petersen Oracle Linux Engineering
Re: [PATCH] scsi: qedi: off by one in qedi_get_cmd_from_tid()
On 25/08/17 4:06 PM, "Dan Carpenter" wrote:
>The > here should be >= or we end up reading one element beyond the end
>of the qedi->itt_map[] array. The qedi->itt_map[] array is allocated in
>qedi_alloc_itt().
>
>Fixes: ace7f46ba5fd ("scsi: qedi: Add QLogic FastLinQ offload iSCSI
>driver framework.")
>Signed-off-by: Dan Carpenter
>
>diff --git a/drivers/scsi/qedi/qedi_main.c b/drivers/scsi/qedi/qedi_main.c
>index c4a470bab4dd..34adc0e0 100644
>--- a/drivers/scsi/qedi/qedi_main.c
>+++ b/drivers/scsi/qedi/qedi_main.c
>@@ -1576,7 +1576,7 @@ struct qedi_cmd *qedi_get_cmd_from_tid(struct
>qedi_ctx *qedi, u32 tid)
> {
> struct qedi_cmd *cmd = NULL;
>
>- if (tid > MAX_ISCSI_TASK_ENTRIES)
>+ if (tid >= MAX_ISCSI_TASK_ENTRIES)
> return NULL;
>
> cmd = qedi->itt_map[tid].p_cmd;
Thanks for the patch.
Acked-by: Manish Rangankar
>
[PATCH] scsi: qedi: off by one in qedi_get_cmd_from_tid()
The > here should be >= or we end up reading one element beyond the end
of the qedi->itt_map[] array. The qedi->itt_map[] array is allocated in
qedi_alloc_itt().
Fixes: ace7f46ba5fd ("scsi: qedi: Add QLogic FastLinQ offload iSCSI driver
framework.")
Signed-off-by: Dan Carpenter
diff --git a/drivers/scsi/qedi/qedi_main.c b/drivers/scsi/qedi/qedi_main.c
index c4a470bab4dd..34adc0e0 100644
--- a/drivers/scsi/qedi/qedi_main.c
+++ b/drivers/scsi/qedi/qedi_main.c
@@ -1576,7 +1576,7 @@ struct qedi_cmd *qedi_get_cmd_from_tid(struct qedi_ctx
*qedi, u32 tid)
{
struct qedi_cmd *cmd = NULL;
- if (tid > MAX_ISCSI_TASK_ENTRIES)
+ if (tid >= MAX_ISCSI_TASK_ENTRIES)
return NULL;
cmd = qedi->itt_map[tid].p_cmd;
