Re: [PATCH] scsi: qla2xxx: Fix use after free in debug code

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




> On Aug 3, 2021, at 10:56 AM, Dan Carpenter <dan.carpenter@xxxxxxxxxx> wrote:
> 
> The sp->free(sp); call frees "sp" and then the debug code dereferences
> it on the next line.  Swap the order.
> 
> Fixes: 84318a9f01ce ("scsi: qla2xxx: edif: Add send, receive, and accept for auth_els")
> Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
> ---
> drivers/scsi/qla2xxx/qla_bsg.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/scsi/qla2xxx/qla_bsg.c b/drivers/scsi/qla2xxx/qla_bsg.c
> index 0739f8ad525a..4b5d28d89d69 100644
> --- a/drivers/scsi/qla2xxx/qla_bsg.c
> +++ b/drivers/scsi/qla2xxx/qla_bsg.c
> @@ -25,12 +25,12 @@ void qla2x00_bsg_job_done(srb_t *sp, int res)
> 	struct bsg_job *bsg_job = sp->u.bsg_job;
> 	struct fc_bsg_reply *bsg_reply = bsg_job->reply;
> 
> -	sp->free(sp);
> -
> 	ql_dbg(ql_dbg_user, sp->vha, 0x7009,
> 	    "%s: sp hdl %x, result=%x bsg ptr %p\n",
> 	    __func__, sp->handle, res, bsg_job);
> 
> +	sp->free(sp);
> +
> 	bsg_reply->result = res;
> 	bsg_job_done(bsg_job, bsg_reply->result,
> 		       bsg_reply->reply_payload_rcv_len);
> -- 
> 2.20.1
> 

Reviewed-by: Himanshu Madhani <himanshu.madhani@xxxxxxxxxx>

--
Himanshu Madhani	 Oracle Linux Engineering





[Index of Archives]     [Kernel Development]     [Kernel Announce]     [Kernel Newbies]     [Linux Networking Development]     [Share Photos]     [IDE]     [Security]     [Git]     [Netfilter]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Device Mapper]

  Powered by Linux