On 5/12/2020 11:19 AM, Dan Carpenter wrote:
The "axchg" pointer is dereferenced when we call the
lpfc_nvme_unsol_ls_issue_abort() function. It can't be either freed or
NULL.
Fixes: 3a8070c567aa ("lpfc: Refactor NVME LS receive handling")
Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
---
drivers/scsi/lpfc/lpfc_sli.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/scsi/lpfc/lpfc_sli.c b/drivers/scsi/lpfc/lpfc_sli.c
index 38889cb6e1996..fcf51b4192d66 100644
--- a/drivers/scsi/lpfc/lpfc_sli.c
+++ b/drivers/scsi/lpfc/lpfc_sli.c
@@ -2895,14 +2895,14 @@ lpfc_nvme_unsol_ls_handler(struct lpfc_hba *phba, struct lpfc_iocbq *piocb)
(phba->nvmet_support) ? "T" : "I", ret);
out_fail:
- kfree(axchg);
-
/* recycle receive buffer */
lpfc_in_buf_free(phba, &nvmebuf->dbuf);
/* If start of new exchange, abort it */
- if (fctl & FC_FC_FIRST_SEQ && !(fctl & FC_FC_EX_CTX))
+ if (axchg && (fctl & FC_FC_FIRST_SEQ) && !(fctl & FC_FC_EX_CTX))
lpfc_nvme_unsol_ls_issue_abort(phba, axchg, sid, oxid);
+
+ kfree(axchg);
}
/**
Reviewed-by: James Smart <james.smart@xxxxxxxxxxxx>
Thank You
-- james
