scsi: qla2xxx: Fix panic from use after free in qla2x00_async_tm_cmd

In qla2x00_async_tm_cmd, we reference off sp after it has been freed. This caused a panic on a system running a slub debug kernel. Since fcport is passed in anyways, just use that instead. Signed-off-by: Bill Kuzeja <william.kuzeja@stratus.com> Acked-by: Giridhar Malavali <gmalavali@marvell.com> Acked-by: Himanshu Madhani <hmadhani@marvell.com> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
author: Bill Kuzeja <William.Kuzeja@stratus.com> 2019-02-12 09:29:50 -0500
committer: Martin K. Petersen <martin.petersen@oracle.com> 2019-02-12 22:23:12 -0500
commit: 388a49959ee4e4e99f160241d9599efa62cd4299 (patch)
tree: 9b19dbaacda71ed50f59866f858aeda7171da0b6
parent: e4a056987c86f402f1286e050b1dee3f4ce7c7eb (diff)
1 files changed, 2 insertions, 2 deletions
diff --git a/drivers/scsi/qla2xxx/qla_init.c b/drivers/scsi/qla2xxx/qla_init.c
index 364bb52ed2a6..109587e62983 100644
--- a/drivers/scsi/qla2xxx/qla_init.c
+++ b/drivers/scsi/qla2xxx/qla_init.c
@@ -1785,13 +1785,13 @@ qla2x00_async_tm_cmd(fc_port_t *fcport, uint32_t flags, uint32_t lun,
                /* Issue Marker IOCB */
                qla2x00_marker(vha, vha->hw->req_q_map[0],
-                    vha->hw->rsp_q_map[0], sp->fcport->loop_id, lun,
+                    vha->hw->rsp_q_map[0], fcport->loop_id, lun,
                    flags == TCF_LUN_RESET ? MK_SYNC_ID_LUN : MK_SYNC_ID);
        }
 done_free_sp:
        sp->free(sp);
-        sp->fcport->flags &= ~FCF_ASYNC_SENT;
+        fcport->flags &= ~FCF_ASYNC_SENT;
 done:
        return rval;
 }
author	Bill Kuzeja <William.Kuzeja@stratus.com>	2019-02-12 09:29:50 -0500
committer	Martin K. Petersen <martin.petersen@oracle.com>	2019-02-12 22:23:12 -0500
commit	388a49959ee4e4e99f160241d9599efa62cd4299 (patch)
tree	9b19dbaacda71ed50f59866f858aeda7171da0b6
parent	e4a056987c86f402f1286e050b1dee3f4ce7c7eb (diff)

diff --git a/drivers/scsi/qla2xxx/qla_init.c b/drivers/scsi/qla2xxx/qla_init.c index 364bb52ed2a6..109587e62983 100644 --- a/drivers/scsi/qla2xxx/qla_init.c +++ b/drivers/scsi/qla2xxx/qla_init.c
@@ -1785,13 +1785,13 @@ qla2x00_async_tm_cmd(fc_port_t *fcport, uint32_t flags, uint32_t lun,
1785		1785
1786	/* Issue Marker IOCB */	1786	/* Issue Marker IOCB */
1787	qla2x00_marker(vha, vha->hw->req_q_map[0],	1787	qla2x00_marker(vha, vha->hw->req_q_map[0],
1788	vha->hw->rsp_q_map[0], sp->fcport->loop_id, lun,	1788	vha->hw->rsp_q_map[0], fcport->loop_id, lun,
1789	flags == TCF_LUN_RESET ? MK_SYNC_ID_LUN : MK_SYNC_ID);	1789	flags == TCF_LUN_RESET ? MK_SYNC_ID_LUN : MK_SYNC_ID);
1790	}	1790	}
1791		1791
1792	done_free_sp:	1792	done_free_sp:
1793	sp->free(sp);	1793	sp->free(sp);
1794	sp->fcport->flags &= ~FCF_ASYNC_SENT;	1794	fcport->flags &= ~FCF_ASYNC_SENT;
1795	done:	1795	done:
1796	return rval;	1796	return rval;
1797	}	1797	}