提交 8ab49fd5 编写于 作者: B Bill Kuzeja 提交者: Greg Kroah-Hartman

scsi: qla2xxx: Fix panic from use after free in qla2x00_async_tm_cmd

[ Upstream commit 388a49959ee4e4e99f160241d9599efa62cd4299 ]

In qla2x00_async_tm_cmd, we reference off sp after it has been freed.  This
caused a panic on a system running a slub debug kernel. Since fcport is
passed in anyways, just use that instead.
Signed-off-by: NBill Kuzeja <william.kuzeja@stratus.com>
Acked-by: NGiridhar Malavali <gmalavali@marvell.com>
Acked-by: NHimanshu Madhani <hmadhani@marvell.com>
Signed-off-by: NMartin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: NSasha Levin <sashal@kernel.org>
上级 53dcaeef
...@@ -1719,13 +1719,13 @@ qla2x00_async_tm_cmd(fc_port_t *fcport, uint32_t flags, uint32_t lun, ...@@ -1719,13 +1719,13 @@ qla2x00_async_tm_cmd(fc_port_t *fcport, uint32_t flags, uint32_t lun,
/* Issue Marker IOCB */ /* Issue Marker IOCB */
qla2x00_marker(vha, vha->hw->req_q_map[0], qla2x00_marker(vha, vha->hw->req_q_map[0],
vha->hw->rsp_q_map[0], sp->fcport->loop_id, lun, vha->hw->rsp_q_map[0], fcport->loop_id, lun,
flags == TCF_LUN_RESET ? MK_SYNC_ID_LUN : MK_SYNC_ID); flags == TCF_LUN_RESET ? MK_SYNC_ID_LUN : MK_SYNC_ID);
} }
done_free_sp: done_free_sp:
sp->free(sp); sp->free(sp);
sp->fcport->flags &= ~FCF_ASYNC_SENT; fcport->flags &= ~FCF_ASYNC_SENT;
done: done:
return rval; return rval;
} }
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册