scsi: qla2xxx: Fix mem access after free
commit
b843adde8d490934d042fbe9e3e46697cb3a64d2 upstream.
System crash, where driver is accessing scsi layer's
memory (scsi_cmnd->device->host) to search for a well known internal
pointer (vha). The scsi_cmnd was released back to upper layer which
could be freed, but the driver is still accessing it.
7 [
ffffa8e8d2c3f8d0] page_fault at
ffffffff86c010fe
[exception RIP: __qla2x00_eh_wait_for_pending_commands+240]
RIP:
ffffffffc0642350 RSP:
ffffa8e8d2c3f988 RFLAGS:
00010286
RAX:
0000000000000165 RBX:
0000000000000002 RCX:
00000000000036d8
RDX:
0000000000000000 RSI:
ffff9c5c56535188 RDI:
0000000000000286
RBP:
ffff9c5bf7aa4a58 R8:
ffff9c589aecdb70 R9:
00000000000003d1
R10:
0000000000000001 R11:
0000000000380000 R12:
ffff9c5c5392bc78
R13:
ffff9c57044ff5c0 R14:
ffff9c56b5a3aa00 R15:
00000000000006db
ORIG_RAX:
ffffffffffffffff CS: 0010 SS: 0018
8 [
ffffa8e8d2c3f9c8] qla2x00_eh_wait_for_pending_commands at
ffffffffc0646dd5 [qla2xxx]
9 [
ffffa8e8d2c3fa00] __qla2x00_async_tm_cmd at
ffffffffc0658094 [qla2xxx]
Remove access of freed memory. Currently the driver was checking to see if
scsi_done was called by seeing if the sp->type has changed. Instead,
check to see if the command has left the oustanding_cmds[] array as
sign of scsi_done was called.
Cc: stable@vger.kernel.org
Signed-off-by: Quinn Tran <qutran@marvell.com>
Signed-off-by: Nilesh Javali <njavali@marvell.com>
Link: https://lore.kernel.org/r/20230428075339.32551-6-njavali@marvell.com
Reviewed-by: Himanshu Madhani <himanshu.madhani@oracle.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
projects / platform / kernel / linux-starfive.git / commit