# HG changeset patch
# User t.horikoshi@jp.fujitsu.com
# Date 1215411175 -32400
# Node ID d73589d6b12bd4df3836c8977985d8d596ab9dda
# Parent  bb937c2f73823cbf636e6245e9aaf9d703b90da9
pvscsi: Add sanity checking

Signed-off-by: Tomonari Horikoshi <t.horikoshi@jp.fujitsu.com>
Signed-off-by: Jun Kamada <kama@jp.fujitsu.com>

diff -r bb937c2f7382 -r d73589d6b12b drivers/xen/scsiback/scsiback.c
--- a/drivers/xen/scsiback/scsiback.c	Fri Jul 04 17:55:07 2008 +0100
+++ b/drivers/xen/scsiback/scsiback.c	Mon Jul 07 15:12:55 2008 +0900
@@ -283,6 +283,13 @@ static int scsiback_gnttab_data_map(vscs
 			pending_req->sgl[i].offset = ring_req->seg[i].offset;
 			pending_req->sgl[i].length = ring_req->seg[i].length;
 			data_len += pending_req->sgl[i].length;
+
+			barrier();
+			if (pending_req->sgl[i].offset >= PAGE_SIZE ||
+			    pending_req->sgl[i].length > PAGE_SIZE ||
+			    pending_req->sgl[i].offset + pending_req->sgl[i].length > PAGE_SIZE)
+				err |= 1;
+
 		}
 
 		if (err)
@@ -509,7 +516,7 @@ static int prepare_pending_reqs(struct v
 
 	/* request range check from frontend */
 	pending_req->sc_data_direction = ring_req->sc_data_direction;
-	rmb();
+	barrier();
 	if ((pending_req->sc_data_direction != DMA_BIDIRECTIONAL) &&
 		(pending_req->sc_data_direction != DMA_TO_DEVICE) &&
 		(pending_req->sc_data_direction != DMA_FROM_DEVICE) &&
@@ -521,7 +528,7 @@ static int prepare_pending_reqs(struct v
 	}
 
 	pending_req->nr_segments = ring_req->nr_segments;
-	rmb();
+	barrier();
 	if (pending_req->nr_segments > VSCSIIF_SG_TABLESIZE) {
 		DPRINTK("scsiback: invalid parameter nr_seg = %d\n",
 			pending_req->nr_segments);
@@ -530,7 +537,7 @@ static int prepare_pending_reqs(struct v
 	}
 
 	pending_req->cmd_len = ring_req->cmd_len;
-	rmb();
+	barrier();
 	if (pending_req->cmd_len > VSCSIIF_MAX_COMMAND_SIZE) {
 		DPRINTK("scsiback: invalid parameter cmd_len = %d\n",
 			pending_req->cmd_len);