From patchwork Tue Feb 12 14:29:50 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Bill Kuzeja <William.Kuzeja@stratus.com>
X-Patchwork-Id: 10808073
Return-Path: <linux-scsi-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id F22E01575
	for <patchwork-linux-scsi@patchwork.kernel.org>;
 Tue, 12 Feb 2019 14:36:03 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id E194C2861D
	for <patchwork-linux-scsi@patchwork.kernel.org>;
 Tue, 12 Feb 2019 14:36:03 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id D5EC122A2A; Tue, 12 Feb 2019 14:36:03 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI,
	RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 3767F22A2A
	for <patchwork-linux-scsi@patchwork.kernel.org>;
 Tue, 12 Feb 2019 14:36:03 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1729579AbfBLOgC convert rfc822-to-8bit (ORCPT
        <rfc822;patchwork-linux-scsi@patchwork.kernel.org>);
        Tue, 12 Feb 2019 09:36:02 -0500
Received: from us-smtp-delivery-131.mimecast.com ([63.128.21.131]:41220 "EHLO
        us-smtp-delivery-131.mimecast.com" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S1729063AbfBLOgC (ORCPT
        <rfc822;linux-scsi@vger.kernel.org>);
        Tue, 12 Feb 2019 09:36:02 -0500
X-Greylist: delayed 368 seconds by postgrey-1.27 at vger.kernel.org;
 Tue, 12 Feb 2019 09:36:02 EST
Received: from mailhub5.stratus.com (mailhub.stratus.com [134.111.1.18]) by
 relay.mimecast.com with ESMTP id us-mta-192-9HyFuZ4FN_-94yHsvVN4fg-1; Tue,
 12 Feb 2019 09:29:51 -0500
Received: from EXHQ1.corp.stratus.com (exhq1.corp.stratus.com
 [134.111.200.125])
        by mailhub5.stratus.com (8.12.11/8.12.11) with ESMTP id
 x1CETpcX030256;
        Tue, 12 Feb 2019 09:29:51 -0500
Received: from linuxdev.lnx.eng.stratus.com (134.111.220.63) by
 EXHQ1.corp.stratus.com (134.111.200.125) with Microsoft SMTP Server (TLS) id
 14.3.279.2; Tue, 12 Feb 2019 09:29:44 -0500
From: Bill Kuzeja <William.Kuzeja@stratus.com>
To: <linux-scsi@vger.kernel.org>
CC: <qla2xxx-upstream@qlogic.com>, <William.Kuzeja@stratus.com>
Subject: [PATCH] Fix panic from use after free in qla2x00_async_tm_cmd
Date: Tue, 12 Feb 2019 09:29:50 -0500
Message-ID: <1549981790-18458-1-git-send-email-William.Kuzeja@stratus.com>
X-Mailer: git-send-email 1.8.3.1
MIME-Version: 1.0
X-MC-Unique: 9HyFuZ4FN_-94yHsvVN4fg-1
X-Mimecast-Spam-Score: 0
Sender: linux-scsi-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-scsi.vger.kernel.org>
X-Mailing-List: linux-scsi@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

---
In qla2x00_async_tm_cmd, we reference off sp after it has been freed. 
This caused a panic on a system running a slub debug kernel. Since
fcport is passed in anyways, just use that instead.

Signed-off-by: Bill Kuzeja <william.kuzeja@stratus.com>
Acked-by: Giridhar Malavali <gmalavali@marvell.com>
Acked-by: Himanshu Madhani <hmadhani@marvell.com>
---
 drivers/scsi/qla2xxx/qla_init.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/scsi/qla2xxx/qla_init.c b/drivers/scsi/qla2xxx/qla_init.c
index aeeb014..8d1acc8 100644
--- a/drivers/scsi/qla2xxx/qla_init.c
+++ b/drivers/scsi/qla2xxx/qla_init.c
@@ -1785,13 +1785,13 @@ void qla_rscn_replay(fc_port_t *fcport)
 
 		/* Issue Marker IOCB */
 		qla2x00_marker(vha, vha->hw->req_q_map[0],
-		    vha->hw->rsp_q_map[0], sp->fcport->loop_id, lun,
+		    vha->hw->rsp_q_map[0], fcport->loop_id, lun,
 		    flags == TCF_LUN_RESET ? MK_SYNC_ID_LUN : MK_SYNC_ID);
 	}
 
 done_free_sp:
 	sp->free(sp);
-	sp->fcport->flags &= ~FCF_ASYNC_SENT;
+	fcport->flags &= ~FCF_ASYNC_SENT;
 done:
 	return rval;
 }