releases/5.4.118/scsi-qla2xxx-fix-crash-in-qla2xxx_mqueuecommand.patch - pub/scm/linux/kernel/git/stable/stable-queue - Git at Google

 From 6641df81ab799f28a5d564f860233dd26cca0d93 Mon Sep 17 00:00:00 2001
 From: Arun Easi <aeasi@marvell.com>
 Date: Mon, 29 Mar 2021 01:52:23 -0700
 Subject: scsi: qla2xxx: Fix crash in qla2xxx_mqueuecommand()

 From: Arun Easi <aeasi@marvell.com>

 commit 6641df81ab799f28a5d564f860233dd26cca0d93 upstream.

     RIP: 0010:kmem_cache_free+0xfa/0x1b0
     Call Trace:
        qla2xxx_mqueuecommand+0x2b5/0x2c0 [qla2xxx]
        scsi_queue_rq+0x5e2/0xa40
        __blk_mq_try_issue_directly+0x128/0x1d0
        blk_mq_request_issue_directly+0x4e/0xb0

 Fix incorrect call to free srb in qla2xxx_mqueuecommand(), as srb is now
 allocated by upper layers. This fixes smatch warning of srb unintended
 free.

 Link: https://lore.kernel.org/r/20210329085229.4367-7-njavali@marvell.com
 Fixes: af2a0c51b120 ("scsi: qla2xxx: Fix SRB leak on switch command timeout")
 Cc: stable@vger.kernel.org # 5.5
 Reported-by: Laurence Oberman <loberman@redhat.com>
 Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
 Reviewed-by: Himanshu Madhani <himanshu.madhani@oracle.com>
 Signed-off-by: Arun Easi <aeasi@marvell.com>
 Signed-off-by: Nilesh Javali <njavali@marvell.com>
 Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 ---
  drivers/scsi/qla2xxx/qla_os.c |    7 -------
  1 file changed, 7 deletions(-)

 --- a/drivers/scsi/qla2xxx/qla_os.c
 +++ b/drivers/scsi/qla2xxx/qla_os.c
 @@ -983,8 +983,6 @@ qla2xxx_mqueuecommand(struct Scsi_Host *
  	if (rval != QLA_SUCCESS) {
  		ql_dbg(ql_dbg_io + ql_dbg_verbose, vha, 0x3078,
  		    "Start scsi failed rval=%d for cmd=%p.\n", rval, cmd);
 -		if (rval == QLA_INTERFACE_ERROR)
 -			goto qc24_free_sp_fail_command;
  		goto qc24_host_busy_free_sp;
  	}

 @@ -996,11 +994,6 @@ qc24_host_busy_free_sp:
  qc24_target_busy:
  	return SCSI_MLQUEUE_TARGET_BUSY;

 -qc24_free_sp_fail_command:
 -	sp->free(sp);
 -	CMD_SP(cmd) = NULL;
 -	qla2xxx_rel_qpair_sp(sp->qpair, sp);
 -
  qc24_fail_command:
  	cmd->scsi_done(cmd);
	From 6641df81ab799f28a5d564f860233dd26cca0d93 Mon Sep 17 00:00:00 2001
	From: Arun Easi <aeasi@marvell.com>
	Date: Mon, 29 Mar 2021 01:52:23 -0700
	Subject: scsi: qla2xxx: Fix crash in qla2xxx_mqueuecommand()

	From: Arun Easi <aeasi@marvell.com>

	commit 6641df81ab799f28a5d564f860233dd26cca0d93 upstream.

	RIP: 0010:kmem_cache_free+0xfa/0x1b0
	Call Trace:
	qla2xxx_mqueuecommand+0x2b5/0x2c0 [qla2xxx]
	scsi_queue_rq+0x5e2/0xa40
	__blk_mq_try_issue_directly+0x128/0x1d0
	blk_mq_request_issue_directly+0x4e/0xb0

	Fix incorrect call to free srb in qla2xxx_mqueuecommand(), as srb is now
	allocated by upper layers. This fixes smatch warning of srb unintended
	free.

	Link: https://lore.kernel.org/r/20210329085229.4367-7-njavali@marvell.com
	Fixes: af2a0c51b120 ("scsi: qla2xxx: Fix SRB leak on switch command timeout")
	Cc: stable@vger.kernel.org # 5.5
	Reported-by: Laurence Oberman <loberman@redhat.com>
	Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
	Reviewed-by: Himanshu Madhani <himanshu.madhani@oracle.com>
	Signed-off-by: Arun Easi <aeasi@marvell.com>
	Signed-off-by: Nilesh Javali <njavali@marvell.com>
	Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	---
	drivers/scsi/qla2xxx/qla_os.c \| 7 -------
	1 file changed, 7 deletions(-)

	--- a/drivers/scsi/qla2xxx/qla_os.c
	+++ b/drivers/scsi/qla2xxx/qla_os.c
	@@ -983,8 +983,6 @@ qla2xxx_mqueuecommand(struct Scsi_Host *
	if (rval != QLA_SUCCESS) {
	ql_dbg(ql_dbg_io + ql_dbg_verbose, vha, 0x3078,
	"Start scsi failed rval=%d for cmd=%p.\n", rval, cmd);
	- if (rval == QLA_INTERFACE_ERROR)
	- goto qc24_free_sp_fail_command;
	goto qc24_host_busy_free_sp;
	}

	@@ -996,11 +994,6 @@ qc24_host_busy_free_sp:
	qc24_target_busy:
	return SCSI_MLQUEUE_TARGET_BUSY;

	-qc24_free_sp_fail_command:
	- sp->free(sp);
	- CMD_SP(cmd) = NULL;
	- qla2xxx_rel_qpair_sp(sp->qpair, sp);
	-
	qc24_fail_command:
	cmd->scsi_done(cmd);