diff mbox series

[06/11] qla2xxx: Fix crash in qla2xxx_mqueuecommand

Message ID 20210323044257.26664-7-njavali@marvell.com
State Superseded
Headers show
Series qla2xxx driver bug fixes | expand

Commit Message

Nilesh Javali March 23, 2021, 4:42 a.m. UTC
From: Arun Easi <aeasi@marvell.com>

    RIP: 0010:kmem_cache_free+0xfa/0x1b0
    Call Trace:
       qla2xxx_mqueuecommand+0x2b5/0x2c0 [qla2xxx]
       scsi_queue_rq+0x5e2/0xa40
       __blk_mq_try_issue_directly+0x128/0x1d0
       blk_mq_request_issue_directly+0x4e/0xb0

Fix incorrect call to free srb in qla2xxx_mqueuecommand, as
srb is now allocated by upper layers. This fixes smatch warning of
srb unintended free.

Fixes: af2a0c51b120 ("scsi: qla2xxx: Fix SRB leak on switch command timeout")
Cc: stable@vger.kernel.org # 5.5
Reported-by: Laurence Oberman <loberman@redhat.com>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Arun Easi <aeasi@marvell.com>
Signed-off-by: Nilesh Javali <njavali@marvell.com>
---
 drivers/scsi/qla2xxx/qla_os.c | 7 -------
 1 file changed, 7 deletions(-)

Comments

Himanshu Madhani March 24, 2021, 3:57 p.m. UTC | #1
> On Mar 22, 2021, at 11:42 PM, Nilesh Javali <njavali@marvell.com> wrote:

> 

> From: Arun Easi <aeasi@marvell.com>

> 

>    RIP: 0010:kmem_cache_free+0xfa/0x1b0

>    Call Trace:

>       qla2xxx_mqueuecommand+0x2b5/0x2c0 [qla2xxx]

>       scsi_queue_rq+0x5e2/0xa40

>       __blk_mq_try_issue_directly+0x128/0x1d0

>       blk_mq_request_issue_directly+0x4e/0xb0

> 

> Fix incorrect call to free srb in qla2xxx_mqueuecommand, as

> srb is now allocated by upper layers. This fixes smatch warning of

> srb unintended free.

> 

> Fixes: af2a0c51b120 ("scsi: qla2xxx: Fix SRB leak on switch command timeout")

> Cc: stable@vger.kernel.org # 5.5

> Reported-by: Laurence Oberman <loberman@redhat.com>

> Reported-by: Dan Carpenter <dan.carpenter@oracle.com>

> Signed-off-by: Arun Easi <aeasi@marvell.com>

> Signed-off-by: Nilesh Javali <njavali@marvell.com>

> ---

> drivers/scsi/qla2xxx/qla_os.c | 7 -------

> 1 file changed, 7 deletions(-)

> 

> diff --git a/drivers/scsi/qla2xxx/qla_os.c b/drivers/scsi/qla2xxx/qla_os.c

> index 6563d69706ba..6a57399b515f 100644

> --- a/drivers/scsi/qla2xxx/qla_os.c

> +++ b/drivers/scsi/qla2xxx/qla_os.c

> @@ -1013,8 +1013,6 @@ qla2xxx_mqueuecommand(struct Scsi_Host *host, struct scsi_cmnd *cmd,

> 	if (rval != QLA_SUCCESS) {

> 		ql_dbg(ql_dbg_io + ql_dbg_verbose, vha, 0x3078,

> 		    "Start scsi failed rval=%d for cmd=%p.\n", rval, cmd);

> -		if (rval == QLA_INTERFACE_ERROR)

> -			goto qc24_free_sp_fail_command;

> 		goto qc24_host_busy_free_sp;

> 	}

> 

> @@ -1026,11 +1024,6 @@ qla2xxx_mqueuecommand(struct Scsi_Host *host, struct scsi_cmnd *cmd,

> qc24_target_busy:

> 	return SCSI_MLQUEUE_TARGET_BUSY;

> 

> -qc24_free_sp_fail_command:

> -	sp->free(sp);

> -	CMD_SP(cmd) = NULL;

> -	qla2xxx_rel_qpair_sp(sp->qpair, sp);

> -

> qc24_fail_command:

> 	cmd->scsi_done(cmd);

> 

> -- 

> 2.19.0.rc0

> 


Looks good. 

Reviewed-by: Himanshu Madhani <himanshu.madhani@oracle.com>


--
Himanshu Madhani	 Oracle Linux Engineering
diff mbox series

Patch

diff --git a/drivers/scsi/qla2xxx/qla_os.c b/drivers/scsi/qla2xxx/qla_os.c
index 6563d69706ba..6a57399b515f 100644
--- a/drivers/scsi/qla2xxx/qla_os.c
+++ b/drivers/scsi/qla2xxx/qla_os.c
@@ -1013,8 +1013,6 @@  qla2xxx_mqueuecommand(struct Scsi_Host *host, struct scsi_cmnd *cmd,
 	if (rval != QLA_SUCCESS) {
 		ql_dbg(ql_dbg_io + ql_dbg_verbose, vha, 0x3078,
 		    "Start scsi failed rval=%d for cmd=%p.\n", rval, cmd);
-		if (rval == QLA_INTERFACE_ERROR)
-			goto qc24_free_sp_fail_command;
 		goto qc24_host_busy_free_sp;
 	}
 
@@ -1026,11 +1024,6 @@  qla2xxx_mqueuecommand(struct Scsi_Host *host, struct scsi_cmnd *cmd,
 qc24_target_busy:
 	return SCSI_MLQUEUE_TARGET_BUSY;
 
-qc24_free_sp_fail_command:
-	sp->free(sp);
-	CMD_SP(cmd) = NULL;
-	qla2xxx_rel_qpair_sp(sp->qpair, sp);
-
 qc24_fail_command:
 	cmd->scsi_done(cmd);