Commit 6641df81 authored Mar 29, 2021 by Arun Easi Committed by Martin K. Petersen Mar 29, 2021

scsi: qla2xxx: Fix crash in qla2xxx_mqueuecommand()

    RIP: 0010:kmem_cache_free+0xfa/0x1b0
    Call Trace:
       qla2xxx_mqueuecommand+0x2b5/0x2c0 [qla2xxx]
       scsi_queue_rq+0x5e2/0xa40
       __blk_mq_try_issue_directly+0x128/0x1d0
       blk_mq_request_issue_directly+0x4e/0xb0

Fix incorrect call to free srb in qla2xxx_mqueuecommand(), as srb is now
allocated by upper layers. This fixes smatch warning of srb unintended
free.

Link: https://lore.kernel.org/r/20210329085229.4367-7-njavali@marvell.com


Fixes: af2a0c51 ("scsi: qla2xxx: Fix SRB leak on switch command timeout")
Cc: stable@vger.kernel.org # 5.5
Reported-by: Laurence Oberman <loberman@redhat.com>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Himanshu Madhani <himanshu.madhani@oracle.com>
Signed-off-by: Arun Easi <aeasi@marvell.com>
Signed-off-by: Nilesh Javali <njavali@marvell.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>

parent 2ce35c08

drivers/scsi/qla2xxx/qla_os.c

+0 −7

Original line number	Diff line number	Diff line
		@@ -1013,8 +1013,6 @@ qla2xxx_mqueuecommand(struct Scsi_Host host, struct scsi_cmnd cmd,
		if (rval != QLA_SUCCESS) {
		ql_dbg(ql_dbg_io + ql_dbg_verbose, vha, 0x3078,
		"Start scsi failed rval=%d for cmd=%p.\n", rval, cmd);
		if (rval == QLA_INTERFACE_ERROR)
		goto qc24_free_sp_fail_command;
		goto qc24_host_busy_free_sp;
		}

		@@ -1026,11 +1024,6 @@ qla2xxx_mqueuecommand(struct Scsi_Host host, struct scsi_cmnd cmd,
		qc24_target_busy:
		return SCSI_MLQUEUE_TARGET_BUSY;

		qc24_free_sp_fail_command:
		sp->free(sp);
		CMD_SP(cmd) = NULL;
		qla2xxx_rel_qpair_sp(sp->qpair, sp);

		qc24_fail_command:
		cmd->scsi_done(cmd);