| Message ID | 1549981790-18458-1-git-send-email-William.Kuzeja@stratus.com (mailing list archive) |
|---|---|
| State | Mainlined |
| Commit | 388a49959ee4e4e99f160241d9599efa62cd4299 |
| Headers | show |
| Series | Fix panic from use after free in qla2x00_async_tm_cmd | expand |
On 2/12/19, 6:30 AM, "Bill Kuzeja" <William.Kuzeja@stratus.com> wrote:
External Email
---
In qla2x00_async_tm_cmd, we reference off sp after it has been freed.
This caused a panic on a system running a slub debug kernel. Since
fcport is passed in anyways, just use that instead.
Signed-off-by: Bill Kuzeja <william.kuzeja@stratus.com>
---
drivers/scsi/qla2xxx/qla_init.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/scsi/qla2xxx/qla_init.c b/drivers/scsi/qla2xxx/qla_init.c
index aeeb014..8d1acc8 100644
--- a/drivers/scsi/qla2xxx/qla_init.c
+++ b/drivers/scsi/qla2xxx/qla_init.c
@@ -1785,13 +1785,13 @@ void qla_rscn_replay(fc_port_t *fcport)
/* Issue Marker IOCB */
qla2x00_marker(vha, vha->hw->req_q_map[0],
- vha->hw->rsp_q_map[0], sp->fcport->loop_id, lun,
+ vha->hw->rsp_q_map[0], fcport->loop_id, lun,
flags == TCF_LUN_RESET ? MK_SYNC_ID_LUN : MK_SYNC_ID);
}
done_free_sp:
sp->free(sp);
- sp->fcport->flags &= ~FCF_ASYNC_SENT;
+ fcport->flags &= ~FCF_ASYNC_SENT;
done:
return rval;
}
--
Acked-by: Giridhar Malavali <gmalavali@marvell.com>
1.8.3.1
On 2/12/19, 6:30 AM, "Bill Kuzeja" <William.Kuzeja@stratus.com> wrote:
External Email
---
In qla2x00_async_tm_cmd, we reference off sp after it has been freed.
This caused a panic on a system running a slub debug kernel. Since
fcport is passed in anyways, just use that instead.
Signed-off-by: Bill Kuzeja <william.kuzeja@stratus.com>
---
drivers/scsi/qla2xxx/qla_init.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/scsi/qla2xxx/qla_init.c b/drivers/scsi/qla2xxx/qla_init.c
index aeeb014..8d1acc8 100644
--- a/drivers/scsi/qla2xxx/qla_init.c
+++ b/drivers/scsi/qla2xxx/qla_init.c
@@ -1785,13 +1785,13 @@ void qla_rscn_replay(fc_port_t *fcport)
/* Issue Marker IOCB */
qla2x00_marker(vha, vha->hw->req_q_map[0],
- vha->hw->rsp_q_map[0], sp->fcport->loop_id, lun,
+ vha->hw->rsp_q_map[0], fcport->loop_id, lun,
flags == TCF_LUN_RESET ? MK_SYNC_ID_LUN : MK_SYNC_ID);
}
done_free_sp:
sp->free(sp);
- sp->fcport->flags &= ~FCF_ASYNC_SENT;
+ fcport->flags &= ~FCF_ASYNC_SENT;
done:
return rval;
}
--
1.8.3.1
Looks good.
Acked-by: Himanshu Madhani <hmadhani@marvell.com>
Hi Bill, Applied to 5.0/scsi-fixes, thanks! PS. Please be careful with separator dashes: > --- ^^^ This caused an empty commit message and a checkpatch warning that your SoB was missing. I fixed it up. > In qla2x00_async_tm_cmd, we reference off sp after it has been freed. > This caused a panic on a system running a slub debug kernel. Since > fcport is passed in anyways, just use that instead.
diff --git a/drivers/scsi/qla2xxx/qla_init.c b/drivers/scsi/qla2xxx/qla_init.c index aeeb014..8d1acc8 100644 --- a/drivers/scsi/qla2xxx/qla_init.c +++ b/drivers/scsi/qla2xxx/qla_init.c @@ -1785,13 +1785,13 @@ void qla_rscn_replay(fc_port_t *fcport) /* Issue Marker IOCB */ qla2x00_marker(vha, vha->hw->req_q_map[0], - vha->hw->rsp_q_map[0], sp->fcport->loop_id, lun, + vha->hw->rsp_q_map[0], fcport->loop_id, lun, flags == TCF_LUN_RESET ? MK_SYNC_ID_LUN : MK_SYNC_ID); } done_free_sp: sp->free(sp); - sp->fcport->flags &= ~FCF_ASYNC_SENT; + fcport->flags &= ~FCF_ASYNC_SENT; done: return rval; }
--- In qla2x00_async_tm_cmd, we reference off sp after it has been freed. This caused a panic on a system running a slub debug kernel. Since fcport is passed in anyways, just use that instead. Signed-off-by: Bill Kuzeja <william.kuzeja@stratus.com> --- drivers/scsi/qla2xxx/qla_init.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)