From 81d7cd4d8d5fa46e14666b0e5e8576aebf94d089 Mon Sep 17 00:00:00 2001 From: Himanshu Madhani Date: Thu, 21 Nov 2019 16:36:36 -0500 Subject: [PATCH 126/155] [scsi] scsi: qla2xxx: Fix panic from use after free in qla2x00_async_tm_cmd Message-id: <20191121163701.43688-2-hmadhani@redhat.com> Patchwork-id: 287845 O-Subject: [RHLE 7.8 e-stor PATCH v3 01/26] scsi: qla2xxx: Fix panic from use after free in qla2x00_async_tm_cmd Bugzilla: 1731581 RH-Acked-by: Jarod Wilson RH-Acked-by: Ewan Milne RH-Acked-by: Tony Camuso From: Bill Kuzeja Bugzilla 1731581 In qla2x00_async_tm_cmd, we reference off sp after it has been freed. This caused a panic on a system running a slub debug kernel. Since fcport is passed in anyways, just use that instead. Signed-off-by: Bill Kuzeja Acked-by: Giridhar Malavali Acked-by: Himanshu Madhani Signed-off-by: Martin K. Petersen (cherry picked from commit 388a49959ee4e4e99f160241d9599efa62cd4299) Signed-off-by: Himanshu Madhani [ hmadhani: upstream code when this patch was submitted was before Qpair ] [ changes were added. RH code has changes for qpair pulled in earlier ] [ so this patch shows deviation from upstream. However, actual change in ] [ the patch is applicable and has not been altered ] Signed-off-by: Himanshu Madhani Signed-off-by: Jan Stancek --- drivers/scsi/qla2xxx/qla_init.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/scsi/qla2xxx/qla_init.c b/drivers/scsi/qla2xxx/qla_init.c index 661ecb5bc0e4..1c74e8b0e10d 100644 --- a/drivers/scsi/qla2xxx/qla_init.c +++ b/drivers/scsi/qla2xxx/qla_init.c @@ -1781,13 +1781,13 @@ qla2x00_async_tm_cmd(fc_port_t *fcport, uint32_t flags, uint32_t lun, /* Issue Marker IOCB */ qla2x00_marker(vha, vha->hw->base_qpair, - sp->fcport->loop_id, lun, + fcport->loop_id, lun, flags == TCF_LUN_RESET ? MK_SYNC_ID_LUN : MK_SYNC_ID); } done_free_sp: sp->free(sp); - sp->fcport->flags &= ~FCF_ASYNC_SENT; + fcport->flags &= ~FCF_ASYNC_SENT; done: return rval; } -- 2.13.6