qla2xxx: Correct out of bounds read of ISP2200 mailbox registers.

qla2xxx: Correct out of bounds read of ISP2200 mailbox registers.

From Olatunji:

	A tool that I m building for finding memory faults in
	Linux drivers is reporting that the following loop, in
	qla2x00_mbx_completion(), reads outside the allocated io memory
	while reading ISP2200 mailbox registers.  I would appreciate your
	help in confirming this bug.

	...
	  wptr = (uint16_t __iomem *)MAILBOX_REG(ha, reg, 1);
	 for (cnt = 1; cnt < ha->mbx_count; cnt++) {
	    if (IS_QLA2200(ha) && cnt == 8)
		wptr = (uint16_t __iomem *)MAILBOX_REG(ha, reg, 8);
	    if (cnt == 4 || cnt == 5)
		ha->mailbox_out[cnt] = qla2x00_debounce_register(wptr);
	    else
	       ha->mailbox_out[cnt] = RD_REG_WORD(wptr);
	     wptr++;
	  }
	...

	During isp2200 initialization (qla2x00_probe_one), ha->mbx_count
	is set to 32, even though isp2200 has 24 mailbox registers
	(mailbox0 ... mailbox23).  Therefore the loop runs for
	cnt=[1..31], wptr walks off the allocated mailbox register region
	at cnt==24, and results in out-of-bounds reads.

	Although I observed this problem in linux2.6.17.1, I
	confirmed that it also exists in 2.6.37 and 3.1-rc4.

Fortunately, the reads outside the 24 mailbox registers are
benign.  For correctness, limit the driver's read to 24.

JIRA Key: V2632FC-95