Received: by 2002:a05:6a10:6006:0:0:0:0 with SMTP id w6csp308749pxa; Thu, 27 Aug 2020 02:59:39 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxbDctMGetMcvDNzjCRSLSg7K8br76R7AWzWlCaxowFxNY5d4yuKL+Ws60gblmw8xuCs3dt X-Received: by 2002:a50:fd84:: with SMTP id o4mr18881664edt.76.1598522378858; Thu, 27 Aug 2020 02:59:38 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1598522378; cv=none; d=google.com; s=arc-20160816; b=EeMqzsDEI3E7tlQoM8d/1KIMbZveCCu6GLxEVh3EPatPq72puJihWo07sICUtJwJGP cWZW/+f8Vt0njt3yTIt+xHKKoclnxrq2GWVPcgBdHGg9P4uSt8kgLHiqzP4pebT45Rjp tQtc3X3q4E2R+2WqaSkJ4bV+rUbAgMLR4c3GutR+ygr5sXJ5IbqsWlVWU4pGoQvoBpTW rS2CJ0Y0WUIh9tCft4MWBvkaugq9XG2iElK3hMsN4XZU42e1V224pkXyS75ki45CMgmf Qh7X+uMXe7VSb9r1PRJ2u/gXfbRhzjDeSzqqkya1cHT+JryR5Uj9phKtp+0TJ65Rra+P L6Xw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from; bh=Gd9gDgRon4qYi9AGYuLCOx2Sbwx5AEJHNypZGSga9Io=; b=g+ipx3CVn4pYWPo76+0qcstDExzdseQjB4Ag80eWAegBf0LtKxadnxzTEP4fUOF+eg FGnRBuDnj0FnZaOtmIR6OKSEo6NfbmJlKk+d/G+E7z2yLTkbYpfUEdmdzwMEv6C3EM+M +JpjsrFr+3M36v44yV8SeLgWKzx3EU2MgM3ft/8stZxKFH6izYk827cTrvTR5BvgyX9M IfLHbpTztkkrKbu9bDKxB/bpy3xc9IRwjhH/siG7vByW2QyZIDWugCAhi9jegWchAc0j ViHrHN+fwr6qGRNvo/T0TL2y8A5trV2DrC/I/0wf1ls6ktuTQu5TS5a/1FcQ67NNxlVy AOCg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id m4si1020628eja.391.2020.08.27.02.59.15; Thu, 27 Aug 2020 02:59:38 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728525AbgH0J6f (ORCPT + 99 others); Thu, 27 Aug 2020 05:58:35 -0400 Received: from mx2.suse.de ([195.135.220.15]:37234 "EHLO mx2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728386AbgH0J6d (ORCPT ); Thu, 27 Aug 2020 05:58:33 -0400 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (unknown [195.135.221.27]) by mx2.suse.de (Postfix) with ESMTP id 20731AD79; Thu, 27 Aug 2020 09:59:03 +0000 (UTC) From: Daniel Wagner To: linux-scsi@vger.kernel.org Cc: linux-kernel@vger.kernel.org, Nilesh Javali , Daniel Wagner Subject: [PATCH 1/4] qla2xxx: Reset done and free callback pointer on release Date: Thu, 27 Aug 2020 11:58:26 +0200 Message-Id: <20200827095829.63871-2-dwagner@suse.de> X-Mailer: git-send-email 2.16.4 In-Reply-To: <20200827095829.63871-1-dwagner@suse.de> References: <20200827095829.63871-1-dwagner@suse.de> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Reset ->done and ->free when releasing the srb. There is a hidden use-after-free bug in the driver which corrupts the srb memory pool which originates from the cleanup callbacks. By explicitly resetting the callbacks to NULL, we workaround the memory corruption. An extensive search didn't bring any lights on the real problem. The initial idea was to set both pointers to NULL and try to catch invalid accesses. But instead the memory corruption was gone and the driver didn't crash. Signed-off-by: Daniel Wagner --- drivers/scsi/qla2xxx/qla_inline.h | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/scsi/qla2xxx/qla_inline.h b/drivers/scsi/qla2xxx/qla_inline.h index 861dc522723c..6d41d758fc17 100644 --- a/drivers/scsi/qla2xxx/qla_inline.h +++ b/drivers/scsi/qla2xxx/qla_inline.h @@ -211,6 +211,8 @@ static inline void qla2xxx_rel_qpair_sp(struct qla_qpair *qpair, srb_t *sp) { sp->qpair = NULL; + sp->done = NULL; + sp->free = NULL; mempool_free(sp, qpair->srb_mempool); QLA_QPAIR_MARK_NOT_BUSY(qpair); } -- 2.16.4