On Mon, 31 Aug 2020, 9:18am, Daniel Wagner wrote:
>
> Emit a warning when ->done or ->free are called on an already freed
> srb. There is a hidden use-after-free bug in the driver which corrupts
> the srb memory pool which originates from the cleanup callbacks. By
> explicitly resetting the callbacks to NULL, we workaround the memory
> corruption.
>
> An extensive search didn't bring any lights on the real problem. The
> initial idea was to set both pointers to NULL and try to catch invalid
> accesses. But instead the memory corruption was gone and the driver
> didn't crash.
>
> Signed-off-by: Daniel Wagner <dwagner@xxxxxxx>
> ---
> drivers/scsi/qla2xxx/qla_init.c | 10 ++++++++++
> drivers/scsi/qla2xxx/qla_inline.h | 5 +++++
> 2 files changed, 15 insertions(+)
>
> diff --git a/drivers/scsi/qla2xxx/qla_init.c b/drivers/scsi/qla2xxx/qla_init.c
> index 57a2d76aa691..9e9360a4aeb5 100644
> --- a/drivers/scsi/qla2xxx/qla_init.c
> +++ b/drivers/scsi/qla2xxx/qla_init.c
> @@ -63,6 +63,16 @@ void qla2x00_sp_free(srb_t *sp)
> qla2x00_rel_sp(sp);
> }
>
> +void qla2xxx_rel_done_warning(srb_t *sp, int res)
> +{
> + WARN_ONCE(1, "Calling done() of an already freed srb object\n");
> +}
> +
> +void qla2xxx_rel_free_warning(srb_t *sp)
> +{
> + WARN_ONCE(1, "Calling free() of an already freed srb object\n");
> +}
Please print the address of srb too for the above two functions.
With that, looks good.
Regards,
-Arun
